source code taken from cacert-20090625.tar.bz2

140 files changed, 16300 insertions, 0 deletions

diff --git a/cacert/www/.htaccess b/cacert/www/.htaccess
new file mode 100644
index 0000000..bb5fe0e
--- /dev/null
+++ b/cacert/www/.htaccess
@@ -0,0 +1,5 @@
+php_value auto_prepend_file /www/includes/general.php
+php_value output_buffering 1
+errordocument 404 /error404.php
+errordocument 403 /error403.php
+errordocument 401 /error401.php
diff --git a/cacert/www/CVS/Entries b/cacert/www/CVS/Entries
new file mode 100644
index 0000000..81172fe
--- /dev/null
+++ b/cacert/www/CVS/Entries
@@ -0,0 +1,40 @@
+/.htaccess/1.2/Thu Dec  9 01:48:16 2004//
+/ac.js/1.1/Sun Dec  4 21:02:35 2005//
+D/api////
+D/certs////
+D/docs////
+D/iistutorial////
+D/images////
+D/logos////
+D/siteimages////
+D/styles////
+/error403.php/1.1/Sun Jan 28 18:41:58 2007//
+D/policy////
+D/tverify////
+D/cats////
+/error404.php/1.2/Sun Apr  6 19:45:25 2008//
+/news.php/1.3/Sun Apr  6 19:45:25 2008//
+/sqldump.php/1.5/Sun Apr  6 19:45:25 2008//
+/stats.php/1.10/Mon Aug 25 21:04:26 2008//
+/rss.php/1.4/Wed Sep  3 18:44:17 2008//
+/sealgen.php/1.4/Wed Sep  3 18:44:17 2008//
+/src-lic.php/1.48/Wed Sep  3 18:44:17 2008//
+/ttp.php/1.10/Wed Sep  3 18:44:17 2008//
+/verify.php/1.11/Sun Sep 21 04:01:53 2008//
+/analyse.php/1.5/Sun Sep 28 20:13:12 2008//
+/help.php/1.5/Sun Sep 28 20:13:12 2008//
+/advertising.php/1.4/Fri Nov 14 23:40:28 2008//
+/logos.php/1.14/Fri Nov 14 23:40:28 2008//
+/ac.php/1.6/Mon Nov 24 12:43:46 2008//
+/alert_hash_collision.php/1.2/Mon Jan  5 10:34:38 2009//
+/disputes.php/1.19/Thu Jan 22 20:43:20 2009//
+/cap.html.php/1.1/Mon Mar  2 23:09:05 2009//
+/capnew.php/1.2/Mon Mar  2 23:12:37 2009//
+/coap.html.php/1.1/Mon Mar  2 23:09:05 2009//
+/coapnew.php/1.2/Mon Mar  2 23:12:37 2009//
+/account.php/1.16/Tue Mar 10 01:50:34 2009//
+/cps.php/1.7/Fri Apr 10 23:09:07 2009//
+/index.php/1.59/Fri Apr 10 23:09:08 2009//
+/cap.php/1.17/Thu Jun 25 20:09:35 2009//
+/gpg.php/1.26/Thu Jun 25 20:09:35 2009//
+/wot.php/1.54/Thu Jun 25 20:09:35 2009//
diff --git a/cacert/www/CVS/Repository b/cacert/www/CVS/Repository
new file mode 100644
index 0000000..87b233f
--- /dev/null
+++ b/cacert/www/CVS/Repository
@@ -0,0 +1 @@
+cacert/www
diff --git a/cacert/www/CVS/Root b/cacert/www/CVS/Root
new file mode 100644
index 0000000..a363882
--- /dev/null
+++ b/cacert/www/CVS/Root
@@ -0,0 +1 @@
+/var/lib/cvs
diff --git a/cacert/www/ac.js b/cacert/www/ac.js
new file mode 100644
index 0000000..60f3bea
--- /dev/null
+++ b/cacert/www/ac.js
@@ -0,0 +1,547 @@
+/* vim:ts=4:sts=4:sw=2:noai:noexpandtab
+ *
+ * Auto-complete client side javascript.
+ * Copyright (c) 2005 Steven McCoy <fnjordy@gmail.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ * 
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+/* format of constructor is overloaded:
+ * AC(<type>, <id>, <submit callback>)
+ * AC(<type>, <id>)
+ * AC(<id>)
+ */
+function AC(id) {
+/* find search type */
+	if (arguments.length > 1) {
+		this.type = arguments[0];
+		id = arguments[1];
+	} else {
+		this.type = id;
+	}
+
+/* input element we are autocompleting on */
+	this.obj = document.getElementById(id);
+	this.obj.value = '';
+
+/* base url to send request too */
+	this.url = '/ac.php';
+
+/* function to call when option selected */
+	this.submit_callback = (arguments.length > 2) ? arguments[2] : null;
+
+/* popup layer we will display results in */
+	this.div = document.createElement('DIV');
+	this.div.className = 'ac_menu';
+	this.div.style.visibility = 'hidden';
+	this.div.style.position = 'absolute';
+	this.div.style.zIndex = 1;
+	this.div.style.width = this.obj.offsetWidth - 2 + "px";
+
+	this.div.style.left = this.total_offset(this.obj,'offsetLeft') + "px";
+	this.div.style.top = this.total_offset(this.obj,'offsetTop') + this.obj.offsetHeight - 1 + "px";
+
+/* tie to input element */
+	this.obj.parentNode.insertBefore(this.div, this.obj.nextSibling);
+
+/* iframe for non-XmlHttpRequest() browsers */
+	this.iframe = null;
+
+/* install event handlers */
+	this.obj.onkeydown = this.onkeydown;
+	this.obj.onkeyup = this.onkeyup;
+	this.obj.onkeypress = this.onkeypress;
+	this.obj.onblur = function() { this.AC.close_popup(); }
+
+	this.obj.AC = this;		/* self reference */
+	this.selected_option = null;	/* the currently selected option */
+
+	this.request = null;		/* http request object */
+	this.cache = new Array();	/* cache of results from server */
+	this.typing = false;		/* whether user is still typing */
+	this.typing_timeout = 10;
+	this.sending_timeout = 10;
+
+	this.search_term = null;	/* current search term  */
+	this.previous_term = null;	/* previous search term */
+	this.searched_term = null;	/* search from keyboard */
+
+	this.last_input = null;		/* previous typed entry */
+
+/* Unicode inputs require polling of the input control for updates */
+	this.poll_input = false;
+
+/* update extern mapping array for rpc reply */
+	_ac_map_add(this);
+}
+
+AC.prototype.enable_unicode = function() {
+	this.poll_input = true;
+	_ac_key_check(this,this.typing_timeout);
+}
+
+AC.prototype.total_offset = function(element, property) {
+	var total = 0;
+	while (element) {
+		total += element[property];
+		element = element.offsetParent;
+	}
+	return total;
+}
+
+/* hide popup and cleanup */
+AC.prototype.close_popup = function() { 
+	this.div.style.visibility = 'hidden'; 
+
+/* no selected item, no typing, and close any pending request */
+	this.selected_option = null;
+	this.typing = false;
+	this.search_term = null;
+	this.previous_term = null;
+}
+
+/* create object for rpc call */
+AC.prototype.XMLHttpRequest = function() {
+	var request = null;
+	if (typeof XMLHttpRequest != 'undefined') {
+		request = new XMLHttpRequest();
+	} else {
+		try {
+			request = new ActiveXObject('Msxml2.XMLHTTP')
+		} catch(e) {
+			try { 
+				request = new ActiveXObject('Microsoft.XMLHTTP')
+			} catch(e) { 
+				request = null 
+			}
+		}
+	}
+	return request;
+}
+
+/* helper functions to process typing timer */
+var _ac_key_thunk = new Array();
+function _ac_key_thunk_call(id) {
+	if (_ac_key_thunk[id]) {
+		var ac = _ac_key_thunk[id][1];
+
+/* now check as if onkeyup() was called */
+/* first find unselected text */
+		var unselected = ac.obj.value;
+		if (document.selection) {
+			var range = document.selection.createRange();
+			if (range) {
+/* to limit the execution this would be nice, but parentElement() not supported in Opera */
+//			if (range && range.parentElement && range.parentElement() == ac.obj) {
+				var length = unselected.length - range.text.length;
+				if (length > 0) {
+					unselected = unselected.substring(0, length);
+				}
+			}
+		} else if (ac.obj.setSelectionRange) {
+			var length = ac.obj.selectionEnd - ac.obj.selectionStart;
+			if (length > 0)
+				unselected = unselected.substring(0,ac.obj.selectionStart);
+		}
+
+		if (unselected != ac.last_input) {
+			if (unselected.length > 0) {
+				ac.searched_term = unselected;
+				ac.suggest(ac.searched_term);
+			} else {
+				_ac_cancel(ac);
+				ac.close_popup();
+			}
+			ac.last_input = unselected;
+		}
+
+/* re-install timer for polling */
+		if (ac.poll_input) {
+			_ac_key_thunk[id][2] = setTimeout("_ac_key_thunk_call("+id+")",ac.typing_timeout);
+		} else {
+/* remove from list and cleanup list */
+			_ac_key_thunk[id] = null;
+			for (i = _ac_key_thunk.length; i > 0; i--)
+				if (_ac_key_thunk[i] == null)
+					_ac_key_thunk.length--;
+		}
+	}
+}
+
+function _ac_key_check(ac,timeout) {
+/* first remove any pending key check */
+	for (i = _ac_key_thunk.length-1; i >= 0; i--)
+		if (_ac_key_thunk[i] != null && _ac_key_thunk[i][0] == ac.obj.id) {
+			clearTimeout(_ac_key_thunk[i][2]);
+			_ac_key_thunk[i] = null;
+		}
+
+/* now setup a new one */
+	var i = _ac_key_thunk.length;
+	var handle = setTimeout("_ac_key_thunk_call("+i+")",timeout);
+	_ac_key_thunk[i] = new Array(ac.obj.id,ac,handle);
+}
+
+/* helper functions to process sending timer */
+var _ac_thunk = new Array();
+function _ac_thunk_call(id) {
+	if (_ac_thunk[id]) {
+		var ac = _ac_thunk[id][1];
+		ac.typing = false;
+		ac.send(_ac_thunk[id][2]);
+		_ac_thunk[id] = null;
+		for (i = _ac_thunk.length; i > 0; i--)
+			if (_ac_thunk[i] == null)
+				_ac_thunk.length--;
+	}
+}
+
+/* cancel a pending request */
+function _ac_cancel(ac) {
+	for (i = _ac_thunk.length-1; i >= 0; i--)
+		if (_ac_thunk[i] != null && _ac_thunk[i][0] == ac.obj.id) {
+			clearTimeout(_ac_thunk[i][3]);
+			_ac_thunk[i] = null;
+		}
+}
+
+function _ac_add(ac,query,timeout) {
+	var i = _ac_thunk.length;
+	var handle = setTimeout("_ac_thunk_call("+i+")",timeout);
+	_ac_thunk[i] = new Array(ac.obj.id,ac,query,handle);
+}
+
+/* helper functions for webserver rpc processing */
+var _ac_map = new Array();
+function _ac_map_add(ac) {
+	_ac_map[ac.obj.id] = ac;
+}
+
+/* called to initiation suggestion process */
+AC.prototype.suggest = function(query) {
+/* remove redundant searches */
+	if (query == this.search_term)
+		return;
+
+/* cancel any existing http call */
+	_ac_cancel(this);
+	if (this.request && this.request.readyState != 0) {
+		this.request.abort();
+	}
+
+/* check cache */
+	var lc = query.toLowerCase();
+	for (i = 0; i < this.cache.length; i++)
+		if (this.cache[i][0] == lc) {
+			var results = this.cache[i][1];
+			this.search_term = query;
+			this.update_popup(results);
+			return;
+		}
+
+/* send call to server */
+	this.typing = true;
+	this.send(query);
+}
+
+/* called to send message to a server */
+AC.prototype.send = function(query) {
+/* check throttle timer */
+	if (this.typing) {
+		_ac_add(this,query,this.sending_timeout);
+		return;
+	}
+
+/* initiate new call */
+	this.search_term = query;
+	if (this.iframe == null) {
+		this.request = this.XMLHttpRequest();
+		if (this.request == null) {
+			var iframe = document.createElement('IFRAME');
+			iframe.src = this.url+'?i=1&id='+encodeURI(this.obj.id)+'&t='+encodeURI(this.type)+'&s='+encodeURI(query);
+/* opera 7.54 doesn't like iframe styles */
+			iframe.style.width = '0px';
+			iframe.style.height = '0px';
+			this.iframe = this.obj.appendChild(iframe);
+		 	this.obj.focus();
+		} else {
+/* send XmlHttpRequest */
+			var AC = this;
+			this.request.onreadystatechange = function() {
+				if (AC.request.readyState == 4) {
+					try {
+						if (AC.request.status != 200 || AC.request.responseText.charAt(0) == '<') {
+							/* some error */
+						} else {
+							eval(AC.request.responseText);
+						}
+					} catch (e) {}
+				}
+			}
+			this.request.open("GET", this.url+"?id="+encodeURI(this.obj.id)+"&t="+encodeURI(this.type)+"&s="+encodeURI(query));
+			this.request.send(null);
+		}
+	} else {
+/* re-submit iframe */
+		this.iframe.src = this.url+'?i=1&id='+encodeURI(this.obj.id)+'&t='+encodeURI(this.type)+'&s='+encodeURI(query);
+		this.obj.focus();
+	}
+}
+
+/* called with array of search results */
+AC.prototype.update_popup = function(results) {
+	if (this.search_term != null && results != null && results.length > 0) {
+/* remove currently listed options */
+		while (this.div.hasChildNodes())
+			this.div.removeChild(this.div.firstChild);
+
+/* default to first result when adding characters */
+		if (this.previous_term == null || this.search_term.length >= this.previous_term.length) {
+			this.selected_option = 0;
+		} else {
+/* remove selection when deleteing */
+			this.selected_option = null;
+		}
+		this.previous_term = this.search_term;
+
+		for (i = 0; i < results.length; i++) {
+			var div = document.createElement('DIV');
+			div.divid = results[i][2];
+			div.AC = this;
+			if (this.selected_option == div.divid)
+				div.className = 'ac_highlight';
+			else
+				div.className = 'ac_normal';
+			div.name = results[i][0];
+			div.value = results[i][1];
+			div.innerHTML = results[i][3];
+			div.onmousedown = function() { this.AC.onselected(); }
+			div.onmouseover = function() { 
+if (this.AC.selected_option != null)
+	this.AC.div.childNodes[this.AC.selected_option].className = 'ac_normal';
+this.AC.selected_option = this.divid;
+this.AC.cabbage = this.AC.selected_option;
+this.className = 'ac_highlight';
+}
+			div.onmouseout = function() { this.className = 'ac_normal'; }
+			this.div.appendChild(div);
+		}
+		this.div.style.visibility = 'visible';
+
+/* complete text box with selected text */
+
+		if (this.selected_option == 0 && 
+			(this.obj.createTextRange || this.obj.setSelectionRange) &&
+			this.obj.value != results[0][1] &&
+			results[0][1].substring(0,this.search_term.length).toLowerCase() == this.search_term.toLowerCase())
+		{
+			this.obj.value = results[0][1];
+			if (this.obj.createTextRange) {
+				var range = this.obj.createTextRange();
+				range.moveStart('character',this.search_term.length);
+				range.select();
+			} else {
+//				var range = document.createRange();
+//				range.setStart(this.obj,this.search_term.length);
+				this.obj.setSelectionRange(this.search_term.length,this.obj.value.length);
+			}
+		}
+	} else {
+		this.close_popup();
+	}
+
+/* update cache */
+	var found = false;
+	var lc = this.search_term.toLowerCase();
+	for (i = 0; i < this.cache.length; i++)
+		if (this.cache[i][0] == lc) {
+			found = true;
+			break;
+		}
+
+	if (!found) {
+		this.cache[this.cache.length] = new Array(lc, results);
+	}
+}
+
+/* update auto-compete input element with selected option */
+AC.prototype.update_input = function() {
+	this.obj.value = this.div.childNodes[this.selected_option].name;
+}
+
+/* when option is clicked with mouse, or entered with keyboard */
+AC.prototype.onselected = function() {
+	if (this.selected_option == null)
+		if (this.cabbage == null)
+			return;
+		else
+			this.selected_option = this.cabbage;	/* opera funky */
+
+	this.update_input();
+
+/* hide popup */
+	this.close_popup();
+/* submit form */
+	if (this.submit_callback)
+		this.submit_callback();
+}
+
+/* capture up & down actions to prevent moving cursor left or right */
+/* input.onkeypress() */
+AC.prototype.onkeypress = function(e) {
+	if (!e) e = window.event;
+	var c = e.keyCode;
+	if (c == 0) c = e.charCode;
+	if(e.charCode) {_ac_key_check(this.AC,this.AC.typing_timeout); return;}
+	switch (c) {
+	case 38:	/* up */
+	case 40:	/* down */
+		e.returnValue = false;
+		if (e.preventDefault) e.preventDefault();
+		break;
+
+	default: break;
+	}
+}
+
+/* move cursor on down to allow repeating */
+/* input.onkeydown() */
+AC.prototype.onkeydown = function(e) {
+	if (!e) e = window.event;
+	var c = e.keyCode;
+	if (c == 0) c = e.charCode;
+	var i = this.AC.selected_option == null ? -1 : this.AC.selected_option;
+	if(e.charCode) {_ac_key_check(this.AC,this.AC.typing_timeout); return;}
+	switch (c) {
+	case 38:	/* up */
+		i--;
+		e.returnValue = false;
+		if (e.preventDefault) e.preventDefault();
+		break;
+
+	case 40:	/* down */
+		i++;
+		e.returnValue = false;
+		if (e.preventDefault) e.preventDefault();
+		break;
+
+	default:
+		_ac_key_check(this.AC,this.AC.typing_timeout);
+		break;
+	}
+
+	if (c == 38 || c == 40) {
+		var length = this.AC.div.childNodes.length;
+		if (i < 0) i = 0;
+		if (i >= length) i = length-1;
+		if (i != this.AC.selected_option) {
+			for (j = 0; j < length; j++) {
+				if (j == i) {
+					this.AC.obj.value = this.AC.div.childNodes[j].value;
+					this.AC.selected_option = this.AC.div.childNodes[j].divid;
+					this.AC.div.childNodes[j].className = 'ac_highlight';
+				} else {
+					this.AC.div.childNodes[j].className = 'ac_normal';
+				}
+			}
+
+/* update search term */
+			this.AC.search_term = this.AC.div.childNodes[this.AC.selected_option].value;
+
+/* popup if hidden */
+			if (this.AC.div.style.visibility == 'hidden') {
+				this.AC.suggest (this.AC.searched_term);
+			}
+		}
+	}
+}
+	
+/* input.onkeyup() */
+AC.prototype.onkeyup = function(e) {
+	if (!e) e = window.event;
+	var c = e.keyCode;
+	if (c == 0) c = e.charCode;
+	switch (c) {
+/* prevent strange selections at top of option list */
+	case 38:	/* up */
+	case 40:	/* down */
+		e.returnValue = false;
+		if (e.preventDefault) e.preventDefault();
+		break;
+
+/* select highlighted option */
+	case 13:	/* enter */
+		this.AC.onselected();
+		e.returnValue = false;
+		if (e.preventDefault) e.preventDefault();
+		break;
+
+/* hide popup window */
+	case 27:	/* escape */
+		this.AC.close_popup();
+		e.returnValue = false;
+		if (e.preventDefault) e.preventDefault();
+		break;
+
+/* get new suggestion for new data */
+	default:
+
+/* for latin this is ok: 
+		if (this.value.length > 0) {
+			this.AC.searched_term = this.value;
+			this.AC.suggest(this.value);
+		} else {
+			_ac_cancel(this.AC);
+			this.AC.close_popup();
+		}
+*/
+		break;
+	}
+}
+
+/* iframe or XmlHttpRequest() callback */
+function _ac_rpc() {
+	var id = arguments[0];
+	if (_ac_map[id]) {
+/* we cannot shift() arguments as it is an object :( */
+		_ac_map[id].process_reply.apply(_ac_map[id],arguments);
+	}
+}
+
+/* parse rpc results into html for the popup */
+AC.prototype.process_reply = function() {
+	var results = new Array();
+	var c = 0;
+	var re = new RegExp('('+this.searched_term+')', "gi");
+	var nt = '<font color="red"><b>$1</b></font>';
+	for (i = 1; i < arguments.length; i += 2) {
+		var name = this.highlight ? arguments[i+1].replace(re, nt) : arguments[i+1];
+		var value = this.highlight ? arguments[i].replace(re, nt) : arguments[i];
+		var html = "<span class='d'>"+name+"</span><span class='a'>"+value+"</span>";
+		results[c] = new Array(arguments[i+1], arguments[i], c, html);
+		c++;
+	}
+
+	this.update_popup(results);
+}
+
+function escapeURI(La){
+  if(encodeURIComponent) {
+    return encodeURIComponent(La);
+  }
+  if(escape) {
+    return escape(La)
+  }
+}
diff --git a/cacert/www/ac.php b/cacert/www/ac.php
new file mode 100644
index 0000000..fe8ac18
--- /dev/null
+++ b/cacert/www/ac.php
@@ -0,0 +1,52 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+	header('Content-Type: text/html; charset=UTF-8');
+
+	if($_REQUEST['i'] != "")
+		echo "<html><body><script language=\"JavaScript\"><!--\n";
+
+	$s = mysql_real_escape_string($_REQUEST['s']);
+
+	$id = mysql_real_escape_string(strip_tags($_REQUEST['id']));
+	echo "parent._ac_rpc('".sanitizeHTML($id)."',";
+
+	$bits = explode(",", $s);
+
+	$loc = trim(mysql_real_escape_string($bits['0']));
+	$reg = trim(mysql_real_escape_string($bits['1']));
+	$ccname = trim(mysql_real_escape_string($bits['2']));
+	$query = "select `locations`.`id` as `locid`, `locations`.`name` as `locname`, `regions`.`name` as `regname`,
+			`countries`.`name` as `ccname` from `locations`, `regions`, `countries` where
+			`locations`.`name` like '$loc%' and `regions`.`name` like '$reg%' and `countries`.`name` like '$ccname%' and
+			`locations`.`regid`=`regions`.`id` and `locations`.`ccid`=`countries`.`id`
+			order by `locations`.`acount` DESC, `locations`.`name` ASC limit 10";
+	$res = mysql_query($query);
+	while($row = mysql_fetch_assoc($res))
+	{
+		$rc++;
+		if($rc > 1)
+			echo ",";
+		echo '"'.$row['locname'].', '.$row['regname'].', '.$row['ccname'].'", "'.$row['locid'].'"';
+	}
+	echo ");";
+
+	if($_REQUEST['i'] != "")
+		echo "\n\n// -->\n</script></body></html>";
+
+	exit;
+?>
diff --git a/cacert/www/account.php b/cacert/www/account.php
new file mode 100644
index 0000000..434053f
--- /dev/null
+++ b/cacert/www/account.php
@@ -0,0 +1,73 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/ ?>
+<?
+	include("../includes/account.php");
+
+	if($id == 6)
+	{
+		include_once("../pages/account/6.php");
+		exit;
+	} else if($id == 19) {
+		include_once("../pages/account/19.php");
+		exit;
+	} else if($oldid == 40 && $_REQUEST['process'] != "" && $_POST['support'] != "yes") {
+		$who = stripslashes($_REQUEST['who']);
+		$email = stripslashes($_REQUEST['email']);
+		$subject = stripslashes($_REQUEST['subject']);
+		$message = stripslashes($_REQUEST['message']);
+
+                $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
+
+		sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, $email, "", "CAcert Website");
+                showheader(_("Welcome to CAcert.org"));
+                echo _("Your message has been sent.");
+                showfooter();
+                exit;
+	} else if($oldid == 40 && $_REQUEST['process'] != "" && $_POST['support'] == "yes") {
+		$who = stripslashes($_REQUEST['who']);
+		$email = stripslashes($_REQUEST['email']);
+		$subject = stripslashes($_REQUEST['subject']);
+		$message = stripslashes($_REQUEST['message']);
+
+
+                $message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
+
+                sendmail("cacert-support@lists.cacert.org, $email", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert Website");
+		
+                showheader(_("Welcome to CAcert.org"));
+                echo _("Your message has been sent to the general support list.");
+                showfooter();
+                exit;
+	} else if($id == 51 && $_GET['img'] == "show") {
+		$query = "select * from `tverify` where `id`='".intval($_GET['photoid'])."' and `modified`=0";
+		$res = mysql_query($query);
+		if(mysql_num_rows($res))
+		{
+			$row = mysql_fetch_assoc($res);
+			readfile($row['photoid']);
+		} else {
+			die("No such file.");
+		}
+		exit;
+	} else {
+		showheader(_("My CAcert.org Account!"));
+		includeit($id, "account");
+		showfooter();
+		exit;
+	}
+?>
diff --git a/cacert/www/advertising.php b/cacert/www/advertising.php
new file mode 100644
index 0000000..e987461
--- /dev/null
+++ b/cacert/www/advertising.php
@@ -0,0 +1,87 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/ ?>
+<?
+	if($_SESSION['profile']['adadmin'] <= 0)
+	{
+                showheader(_("My CAcert.org Account!"));
+                echo _("You don't have access to this area.");
+                showfooter();
+                exit;
+	}
+
+	$id = array_key_exists('id',$_REQUEST)?intval($_REQUEST['id']):0;
+	if($id == 2)
+		$id = 0;
+	$oldid = array_key_exists('oldid',$_POST)?intval($_POST['oldid']):0;
+	$process = array_key_exists('process',$_POST)?$_POST['process']:"";
+
+	loadem("account");
+	$errmsg = "";
+
+	if($oldid == 1 && $process != "")
+	{
+		$title = mysql_real_escape_string(strip_tags(trim(htmlentities($_POST['title']))));
+		$link = mysql_real_escape_string(strip_tags(trim($_POST['link'])));
+		$months = intval($_POST['months']);
+
+		if(!strstr($link, "://"))
+		{
+			$link = "http://".$link;
+		}
+
+		if($months < 1 || $months > 12)
+		{
+			$id = 1;
+			$errmsg .= _("You can only place an advertisement for up to 12 months.<br />");
+			$process="";
+			$oldid=0;
+		}
+
+		if(strlen($title) <= 5)
+		{
+			$id = 1;
+			$errmsg .= _("Link title was too short.<br />");
+			$process="";
+			$oldid=0;
+		}
+
+		if(strlen($link) <= 10)
+		{
+			$id = 1;
+			$errmsg .= _("Link URI was too short.<br />");
+			$process="";
+			$oldid=0;
+		}
+	}
+
+	if($oldid == 1 && $process != "")
+	{
+		$query = "insert into `advertising` set `link`='$link', `title`='$title', `months`='$months', `who`='".$_SESSION['profile']['id']."',
+				`when`=NOW()";
+		mysql_query($query);
+		unset($link);
+		unset($title);
+		unset($months);
+		$id = 1;
+		$errmsg = _("Your advertisement request has been lodge in the system and administrators notified. Once the information has been reviewed, you will be notified if the link was acceptable or declined and the reason for the decline. If the request is successful the system will generate an invoice.");
+	}
+
+	showheader(_("CAcert.org Advertising Section"));
+	includeit($id, "advertising");
+	showfooter();
+?>
diff --git a/cacert/www/alert_hash_collision.php b/cacert/www/alert_hash_collision.php
new file mode 100644
index 0000000..bad60e8
--- /dev/null
+++ b/cacert/www/alert_hash_collision.php
@@ -0,0 +1,28 @@
+<?php
+
+include("../includes/hash_password.php");
+define('REPORT_WEAK_SCRIPT', './report-weak');
+
+if (@$_GET['shared_secret'] != SHARED_SECRET)
+	die('not authenticated');
+if (!preg_match('/^[0-9a-f]{40}$/i', $_POST['pkhash']))
+	die('malformed or nonexistant pkhash');
+if (!preg_match('/^(mem|org)-[0-9]+$/', @$_POST['usernym']))
+	die('malformed or nonexistant usernym');
+
+// alert seems ok
+
+if (preg_match('/^mem-[0-9]+$/', @$_POST['usernym']))
+{
+  mysql_query("update emailcerts set coll_found=1 where memid='".mysql_escape_string(substr(@$_POST['usernym'],4))."' and pkhash!='' and pkhash='".$_POST['pkhash']."';");
+  mysql_query("update domaincerts set coll_found=1 where memid='".mysql_escape_string(substr(@$_POST['usernym'],4))."' and pkhash!='' and pkhash='".$_POST['pkhash']."';");
+}
+else
+{
+  mysql_query("update orgemailcerts set coll_found=1 where memid='".mysql_escape_string(substr(@$_POST['usernym'],4))."' and pkhash!='' and pkhash='".$_POST['pkhash']."';");
+  mysql_query("update orgdomaincerts set coll_found=1 where memid='".mysql_escape_string(substr(@$_POST['usernym'],4))."' and pkhash!='' and pkhash='".$_POST['pkhash']."';");
+}
+
+//exec(REPORT_WEAK . ' ' . $_POST['usernym'] . ' ' . lower($_POST['pkhash']));
+
+?>
diff --git a/cacert/www/analyse.php b/cacert/www/analyse.php
new file mode 100644
index 0000000..b263644
--- /dev/null
+++ b/cacert/www/analyse.php
@@ -0,0 +1,36 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/ ?>
+<?
+	loadem("index");
+
+	showheader(_("Welcome to CAcert.org"));
+
+	
+	
+	if($_POST['csr'] == "")
+	{ ?>
+<form method="post">
+<p>Please paste the PEM encoded certificate signing request you would like to analyze in the text area below:</p>
+<p><textarea name="csr" cols="64" rows="12"></textarea></p>
+<p><input type="submit" name="process" value="<?=_("Analyse")?>"></p>
+</form>
+<?	} else {
+		echo "<pre>".htmlspecialchars(print_r(openssl_x509_parse(openssl_x509_read($_POST['csr'])),true))."</pre>";
+	}
+	showfooter();
+?>
diff --git a/cacert/www/api/CVS/Entries b/cacert/www/api/CVS/Entries
new file mode 100644
index 0000000..64e2916
--- /dev/null
+++ b/cacert/www/api/CVS/Entries
@@ -0,0 +1,5 @@
+/index.php/1.1/Tue Nov  8 10:06:04 2005//
+/cemails.php/1.5/Mon Nov 24 12:43:46 2008//
+/edu.php/1.3/Mon Jan  5 10:34:38 2009//
+/ccsr.php/1.8/Fri Apr 10 23:09:08 2009//
+D
diff --git a/cacert/www/api/CVS/Repository b/cacert/www/api/CVS/Repository
new file mode 100644
index 0000000..c80c92c
--- /dev/null
+++ b/cacert/www/api/CVS/Repository
@@ -0,0 +1 @@
+cacert/www/api
diff --git a/cacert/www/api/CVS/Root b/cacert/www/api/CVS/Root
new file mode 100644
index 0000000..a363882
--- /dev/null
+++ b/cacert/www/api/CVS/Root
@@ -0,0 +1 @@
+/var/lib/cvs
diff --git a/cacert/www/api/ccsr.php b/cacert/www/api/ccsr.php
new file mode 100644
index 0000000..b2db656
--- /dev/null
+++ b/cacert/www/api/ccsr.php
@@ -0,0 +1,98 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+	$username = mysql_real_escape_string($_REQUEST['username']);
+	$password = mysql_real_escape_string($_REQUEST['password']);
+
+	$query = "select * from `users` where `email`='$username' and (`password`=old_password('$password') or `password`=sha1('$password'))";
+	$res = mysql_query($query);
+	if(mysql_num_rows($res) != 1)
+		die("403,That username couldn't be found\n");
+	$user = mysql_fetch_assoc($res);
+	$memid = $user['id'];
+	$emails = array();
+	foreach($_REQUEST['email'] as $email)
+	{
+		$email = mysql_real_escape_string(trim($email));
+		$query = "select * from `email` where `memid`='$memid' and `hash`='' and `deleted`=0 and `email`='$email'";
+		$res = mysql_query($query);
+		if(mysql_num_rows($res) > 0)
+		{
+			$row = mysql_fetch_assoc($res);
+			$id = $row['id'];
+			$emails[$id] = $email;
+		}
+	}
+	if(count($emails) <= 0)
+		die("404,Wasn't able to match any emails sent against your account");
+	$query = "select sum(`points`) as `points` from `notary` where `to`='$memid' group by `to`";
+	$row = mysql_fetch_assoc(mysql_query($query));
+	$points = $row['points'];
+
+	$name = "CAcert WoT User\n";
+	$newname = mysql_real_escape_string(trim($_REQUEST['name']));
+	if($points >= 50)
+	{
+		if($newname == $user['fname']." ".$user['lname'] ||
+			$newname == $user['fname']." ".$user['mname']." ".$user['lname'] ||
+			$newname == $user['fname']." ".$user['lname']." ".$user['suffix'] ||
+			$newname == $user['fname']." ".$user['mname']." ".$user['lname']." ".$user['suffix'])
+			$name = $newname;
+	}
+
+	$codesign = 0;
+	if($user['codesign'] == "1" && $_REQUEST['codesign'] == "1" && $points >= 100)
+		$codesign = 1;
+
+	$CSR = trim($_REQUEST['optionalCSR']);
+	$incsr = tempnam("/tmp", "ccsrIn");
+	$checkedcsr = tempnam("/tmp", "ccsrOut");
+	$fp = fopen($incsr, "w");
+	fputs($fp, $CSR);
+	fclose($fp);
+	$do = `/usr/bin/openssl req -in $incsr -out $checkedcsr`;
+	@unlink($incsr);
+	if(filesize($checkedcsr) <= 0)
+		die("404,Invalid or missing CSR");
+
+	$csrsubject = "/CN=$name";
+	foreach($emails as $id => $email)
+		$csrsubject .= "/emailAddress=".$email;
+
+	$query = "insert into `emailcerts` set `CN`='".$user['email']."', `keytype`='MS',
+				`memid`='".$user['id']."', `created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
+				`subject`='$csrsubject', `codesign`='$codesign'";
+	mysql_query($query);
+	$certid = mysql_insert_id();
+	$CSRname = "/www/csr/client-$certid.csr";
+	rename($checkedcsr, $CSRname);
+
+	mysql_query("update `emailcerts` set `csr_name`='$CSRname' where `id`='$certid'");
+
+	foreach($emails as $emailid => $email)
+		mysql_query("insert into `emaillink` set `emailcertsid`='$certid', `emailid`='$emailid'");
+
+	$do = `../../scripts/runclient`;
+	sleep(10); // THIS IS BROKEN AND SHOULD BE FIXED
+	$query = "select * from `emailcerts` where `id`='$certid' and `crt_name` != ''";
+	$res = mysql_query($query);
+	if(mysql_num_rows($res) <= 0)
+		die("404,Your certificate request has failed. ID: $certid");
+	$cert = mysql_fetch_assoc($res);
+	echo "200,Authentication Ok\n";
+	readfile("../".$cert['crt_name']);
+?>
diff --git a/cacert/www/api/cemails.php b/cacert/www/api/cemails.php
new file mode 100644
index 0000000..0d067ea
--- /dev/null
+++ b/cacert/www/api/cemails.php
@@ -0,0 +1,47 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+	$username = mysql_escape_string($_REQUEST['username']);
+	$password = mysql_escape_string($_REQUEST['password']);
+
+	$query = "select * from `users` where `email`='$username' and (`password`=old_password('$password') or `password`=sha1('$password'))";
+	$res = mysql_query($query);
+	if(mysql_num_rows($res) != 1)
+		die("403,That username couldn't be found\n");
+	echo "200,Authentication Ok\n";
+	$user = mysql_fetch_assoc($res);
+	$memid = $user['id'];
+	$query = "select sum(`points`) as `points` from `notary` where `to`='$memid' group by `to`";
+	$row = mysql_fetch_assoc(mysql_query($query));
+	$points = $row['points'];
+	echo "CS=".intval($user['codesign'])."\n";
+	echo "NAME=CAcert WoT User\n";
+	if($points >= 50)
+	{
+		echo "NAME=".sanitizeHTML($user['fname'])." ".sanitizeHTML($user['lname'])."\n";
+		if($user['mname'] != "")
+			echo "NAME=".sanitizeHTML($user['fname'])." ".sanitizeHTML($user['mname'])." ".sanitizeHTML($user['lname'])."\n";
+		if($user['suffix'] != "")
+			echo "NAME=".sanitizeHTML($user['fname'])." ".sanitizeHTML($user['lname'])." ".sanitizeHTML($user['suffix'])."\n";
+		if($user['mname'] != "" && $user['suffix'] != "")
+			echo "NAME=".sanitizeHTML($user['fname'])." ".sanitizeHTML($user['mname'])." ".sanitizeHTML($user['lname'])." ".sanitizeHTML($user['suffix'])."\n";
+	}
+	$query = "select * from `email` where `memid`='$memid' and `hash`='' and `deleted`=0";
+	$res = mysql_query($query);
+	while($row = mysql_fetch_assoc($res))
+		echo "EMAIL=".$row['email']."\n";
+?>
diff --git a/cacert/www/api/edu.php b/cacert/www/api/edu.php
new file mode 100644
index 0000000..27b7b1b
--- /dev/null
+++ b/cacert/www/api/edu.php
@@ -0,0 +1,43 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/ 
+
+  $ipadress =$_SERVER['REMOTE_ADDR'];
+   
+  if ($ipadress=='72.36.220.19' && $_SERVER['HTTPS']=="on")
+  {
+    $serial=mysql_escape_string($_REQUEST["serial"]);
+    $root=intval($_REQUEST["root"]);
+       
+    $sql="select memid from emailcerts where serial='$serial' and rootcert='$root'";
+    $query= mysql_query($sql); 
+    if(mysql_num_rows($query) != 1)
+    {
+      echo "NOT FOUND: ".sanitizeHTML($sql);
+    }
+    else
+    {
+      $memid = mysql_fetch_assoc($query);
+      echo sanitizeHTML($memid['memid']);
+    }
+  }
+  else
+  {
+    echo "UNAUTHORIZED ACCESS ".$ipadress." ".$_SERVER['HTTPS'];
+  }
+?>
+
diff --git a/cacert/www/api/index.php b/cacert/www/api/index.php
new file mode 100644
index 0000000..24e7f8a
--- /dev/null
+++ b/cacert/www/api/index.php
@@ -0,0 +1,4 @@
+<?
+	header("location: ..");
+	exit;
+?>
diff --git a/cacert/www/cap.html.php b/cacert/www/cap.html.php
new file mode 100644
index 0000000..c5ae89c
--- /dev/null
+++ b/cacert/www/cap.html.php
@@ -0,0 +1,247 @@
+<?php /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+        loadem("index");
+        showheader(_("Identity Verification Form (CAP) form"));
+	Version: $Id: cap.html.php,v 1.1 2009-03-02 23:09:05 root Exp $
+*/
+	echo '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">', "\n";
+	echo '<html>', "\n";
+
+	echo '<head>', "\n";
+    	echo '<meta content="text/html; charset=ISO-8859-1" http-equiv="content-type">', "\n";
+    	echo '<title>'._("Identity Verification Form (CAP) form").'</title>', "\n";
+	echo '</head>', "\n";
+
+	echo '<body>', "\n";
+	echo '<p>', "\n";
+	echo '<div style="text-align: right;"><img style="width: 30%; float: none;" alt="CAcert logo" src="http://www.cacert.org/logos/CAcert-logo-colour-1000.png" vspace="3">';
+	echo '</div>', "\n";
+	echo '</p>', "\n";
+	echo '<p>', "\n";
+	echo '<div style="text-align: right;">', "\n";
+	echo '<big><big><span style="font-weight: bold;">'._("CAcert Assurance Programme").'</span></big></big><br>', "\n";
+	echo '</div>', "\n";
+	echo '<div style="text-align: right;">', "\n";
+	echo '<big><big><span style="font-weight: bold;">'._("Identity Verification Form (CAP) form").'</span></big></big><br>', "\n";
+	echo '</div>', "\n";
+	echo '<div style="text-align: right;">'.'CAcert Inc. - P.O. Box 4107 - Denistone East NSW 2112 - Australia - <a href="http://www.cacert.org/"> http://www.cacert.org/</a><br></div>', "\n";
+
+	echo '<table border=1 cellspacing="0" cellpadding="0" bordercolor="lightblue" cellpadding="0" cellspacing="0" width="100%" style="color: white; background-color: rgb(112, 154, 186);" rules="groups">', "\n";
+	echo '<tbody>', "\n";
+	echo '<tr><td>', "\n";
+	echo '<tr>', "\n";
+	echo '    <td align="left"><font size=-7>'._("CAcert's Root Certificate sha1 fingerprints").'</font></td>', "\n";
+	echo '    <td align="right"><font size=-7>class 1: 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33</font></td>', "\n";
+	echo '</tr>', "\n";
+	echo '<tr>', "\n";
+	echo '    <td></td>', "\n";
+	echo '    <td align="right"><font size=-7>class 3: DB4C 4269 073F E9C2 A37D 890A 5C1B 18C4 184E 2A2D</font></td>', "\n";
+	echo '<tr>', "\n";
+	echo '</font>', "\n";
+	echo '</td>', "\n";
+	echo '</tr>', "\n";
+	echo '</tbody>', "\n";
+	echo '</table>', "\n";
+	echo '<p>', "\n";
+	echo _("The CAcert Assurance Programme (CAP) aims to verify the identities of Internet users through face to face witnessing of government-issued photo identity documents.");
+	echo _("The Applicant asks the Assurer to verify to the CAcert Community that the Assurer has met and verified the Applicant's identity against original documents.");
+	echo _("Assurer may leave a copy of the details with the Applicant, and may complete and sign her final form after the meeting.");
+	echo _("If there are any doubts or concerns about the Applicant's identity, do not allocate points.  You are encouraged to perform a mutual Assurance.");
+	echo '<br>', "\n";
+	echo _("For more information about the CAcert Assurance Programme, including detailed guides for CAcert Assurers, please visit:");
+	echo ' <a href="http://www.cacert.org/">http://www.cacert.org/</a><br>', "\n";
+	echo _("A CAcert Arbitrator can require the Assurer to deliver the completed form in the event of a dispute. After 7 years this form should be securely disposed of to prevent identity misuse. E.g. shred or burn the form. The Assurer does not retain copies of ID at all.");
+	echo '<br>', "\n";
+	echo _("For the CAcert Organisation Assurance Programme there is a separate special COAP form.");
+/*
+	echo '</p>', "\n";
+*/
+
+	echo '<form target="_blank" enctype="application/x-www-form-urlencoded" method="get" action="https://www.cacert.org/capnew.php" name="CAP form">', "\n";
+
+	echo '<table width=100% cellspacing="0" celpadding="0"><tr>', "\n";
+	echo '    <td>';
+	echo '<div style="text-align: left;"><span style="font-style: italic; text-align: right;">'._("Date and location of the face-to-face meeting").':</span>', "\n";
+	echo '<input maxlength="80" size="30" name="location"></span>', "\n";
+	echo '</td>', "\n", '    <td>';
+	echo '<div style="text-align: right;"><span style="font-style: italic;"><small>('._("yyyy-dd-mm").')</small></span>';
+	echo '<input size="12" name="date"></div>', "\n";
+	echo '</td>', "\n", '</tr>', "\n", '</tabe>', "\n";
+	echo '<br>', "\n";
+	echo '<table border="3" cellpadding="2" cellspacing="0" width="100%" bordercolor="lightblue" rules="groups">', "\n";
+	echo '<thead>', "\n";
+	echo '<tr style="background-color: rgb(17, 86, 140); color: white;">', "\n";
+	echo '    <th colspan="2" align="left"><big><big>'._("Applicant's Identity Information").'</big></big></th>', "\n";
+	echo '    <th align=left>';
+	/* echo _("points").'<br>'._("allocated"); */
+	echo str_replace(" ", '<br>', _("points allocated"));
+	echo '</th>', "\n";
+	echo '</tr>', "\n";
+	echo '</thead>', "\n";
+	echo '<tbody>', "\n";
+	echo '<tr><td align="left">'._("Exact full name on the ID").': </td>', "\n";
+	echo '    <td align="right">(', "\n"._("type of ID shown").')</td>', "\n";
+	echo '    <td align="right">', "\n"._("max").'35</td>', "\n";
+	echo '</tr>', "\n";
+	echo '<tr>', "\n";
+	echo '    <td><input size="55" maxlength="80" name="name1"></td>', "\n";
+	echo '    <td align="right"><select size="1" name="name1ID">', "\n";
+	echo '        <option selected="selected">'._("passport").'</option>', "\n";
+	echo '        <option>'._("identity card").'</option>', "\n";
+	echo '        <option>'._("driver license").'</option>', "\n";
+	echo '        <option value="......">'._("other").'</option>', "\n";
+	echo '        </select>', "\n";
+	echo '    </td>', "\n";
+	echo '    <td align="right"><input maxlength="2" size="2" name="name1Pnts"></td>', "\n";
+	echo '</tr>', "\n";
+	echo '<tr> ', "\n";
+	echo '    <td><input size="55" maxlength="80" name="name2"></td>', "\n";
+	echo '    <td align="right"><select size="1" name="name2ID">', "\n";
+	echo '        <option>'._("passport").'</option>';
+	echo '        <option selected="selected">'._("identity card").'</option>', "\n";
+	echo '        <option>'._("driver license").'</option>', "\n";
+	echo '        <option value="....">'._("other").'</option>', "\n";
+	echo '        </select>', "\n";
+	echo '    </td>', "\n";
+	echo '    <td align="right"><input maxlength="2" size="2" name="name2Pnts"></td>', "\n";
+	echo '</tr>', "\n";
+	echo '<tr><td><input size="55" maxlength="80" name="name3"></td>', "\n";
+	echo '    <td align="right"><select size="1" name="name3ID">', "\n";
+	echo '        <option>'._("passport").'</option>', "\n";
+	echo '        <option>'._("identity card").'</option>';
+	echo '        <option selected="selected" value="">', "\n"._("driver license").'</option>';
+	echo '        <option value="....">', "\n"._("other").'</option>';
+	echo '        </select>', "\n";
+	echo '    </td>', "\n";
+	echo '    <td align="right"><input maxlength="2" size="2" name="name3Pnts"></td>', "\n";
+	echo '</tr>', "\n";
+	echo '</tbody>', "\n";
+	echo '<tbody>', "\n";
+	echo '<tr><td>'._("Email address").': <br><input maxlength="80" size="55" name="email"></td>', "\n";
+	echo '    <td colspan="2" align="right">'._("Date of Birth").' ('._("yyyy-mm-dd").')'.'<br><input maxlength="10" size="11" name="dob"></td>', "\n";
+	echo '</tr>', "\n";
+	echo '</tbody>', "\n";
+	echo '<!--', "\n";
+	echo '</table>', "\n";
+	echo '<table border="3" cellpadding="2" cellspacing="0" width="100%" bordercolor="lightblue" rules="groups">', "\n";
+	echo '-->', "\n";
+	echo '<thead>', "\n";
+	echo '<tr style="background-color: rgb(17, 86, 140); color: white;">', "\n";
+	echo '    <th colspan="3" align="left"><big><big>'._("Applicant's Statement").'</big></big></th>', "\n";
+	echo '</thead>', "\n";
+	echo '<tbody>', "\n";
+	echo '<tr>', "\n";
+	echo '    <td colspan="3">'._("Make sure you have read and agreed with the CAcert Community Agreement");
+	echo '(<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">CCA</a>)<br>', "\n";
+	echo '</td>', "    \n", '</tr>', "\n";
+/*
+	echo '</tbody>', "\n";
+	echo '<tbody>', "\n";
+*/
+	echo '<tr>', "\n";
+	echo '    <td colspan="3"><input type="checkbox" checked name="checked" value="1"> ';
+        echo _("I hereby confirm that the information stating my Identity Information above is both true and correct and request the CAcert Assurer (see below) to witness my identity in the CAcert Assurance Programme.");
+	echo '</td>', "\n".'</tr>', "\n";
+	echo '<tr>', "\n". '    <td colspan="3"><input type="checkbox" checked name="checked" value="2"> ';
+	echo _("I agree to the CAcert Community Agreement.").' (';
+	echo '<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">CCA</a>)</dd>', "\n";
+	echo '</td>', "\n".'</tr>', "\n";
+/*
+	echo '</tbody>', "\n";
+	echo '<tbody>', "\n";
+*/
+	echo '<tr>', "\n";
+	echo '    <td>'._("Date").' ('._("yyyy-mm-dd").')'.'<br><input maxlength="10" size="11" name="assurancedate"></td>', "\n";
+	echo '    <td colspan="2" align="right" valign="top"> '._("Applicant's signature").'</td>', "\n";
+	echo '</tr>', "\n";
+	echo '</tbody>', "\n";
+	echo '</table>', "\n";
+	echo '<br>', "\n";
+	echo '<table border="3" cellpadding="2" cellspacing="0" width="100%" bordercolor="lightblue" rules="groups">', "\n";
+	echo '<thead>', "\n";
+	echo '<tr style="background-color: rgb(17, 86, 140); color: white;">', "\n";
+	echo '    <th colspan="2" align="left"><big><big>'._("Assurer's Statement").'</big></big></td>', "\n";
+	echo '</tr>', "\n";
+	echo '</thead>', "\n";
+	echo '<tbody>', "\n";
+	echo '<tr>', "\n";
+	echo '    <td>'._("Assurer's Name").'<br><input maxlength="80" size="55" name="assurer"></td>', "\n";
+	echo '    <td align="right"><small><small>'.'('._("optional").')'.'</small></small>', "\n";
+	echo _("Date of Birth").' ('._("yyyy-mm-dd").')';
+	echo '<br><input maxlength="10" size="11" name="assurerdob"></td>', "\n";
+	echo '</tr>', "\n";
+	echo '<tr>', "\n";
+	echo '    <td colspan="2">'._("Assurer's email address").'<small><small>', "\n";
+	echo '('._("optional").')'.'</small></small><br><input maxlength="80" size="55" name="assureremail"></td>', "\n";
+	echo '</tr>', "\n";
+/*
+	echo '</tbody>', "\n";
+	echo '<tbody>', "\n";
+*/
+	echo '<tr>', "\n";
+	echo '    <td colspan="2"><input type="checkbox" checked name="checked" value="3"> ';
+	echo _("I, the Assurer, hereby confirm that I have verified the Applicant's Identity Information, I will witness the Applicant's identity in the CAcert Assurance Programme, and allocate Assurance Points.");
+	echo '</td>', "\n";
+	echo '</tr>', "\n";
+	echo '<tr>', "\n";
+	echo '    <td colspan="2"><input type="checkbox" checked name="checked" value="4"> ';
+	echo _("I am a CAcert Community Member, have passed the Assurance Challenge, and have been assured with at least 100 Assurance Points.");
+	echo '</td>', "\n";
+	echo '</tr>', "\n";
+/*
+	echo '</tbody>', "\n";
+	echo '<tbody>', "\n";
+*/
+	echo '<tr>', "\n";
+	echo '    <td>'._("Date").' ('._("yyyy-mm-dd").')';
+	echo '<br><input maxlength="10" size="11" name="assurerdate"></td>', "\n";
+	echo '    <td align="right" valign="top">'._("Assurer's signature").'</td>', "\n";
+	echo '</tr>', "\n";
+	echo '</tbody>', "\n";
+	echo '</table>', "\n";
+	echo '<div style="text-align: right;"><small><small><span>&copy; '.date('Y').' CAcert Inc., V5, '.date('Y-n-j').'</small></small></span></div>', "\n";
+	echo '<br>', "\n";
+	echo '<p>', "\n";
+	echo '<table border="3" cellpadding="2" cellspacing="0" width="100%" bordercolor="lightblue" rules="groups">', "\n";
+	echo '<thead>', "\n";
+	echo '<tr style="background-color: rgb(112, 154, 186); color: white;">', "\n";
+	echo '    <th colspan="2" align="left"><big><big>'._("How To Print this CAP form").'</big></big></td>', "\n";
+	echo '</tr>', "\n";
+	echo '</thead>', "\n";
+	echo '</table>', "\n";
+	echo '<p>';
+	echo _("A printer ready file with the form and attachments can be generated as follows:");
+	echo '<dl>', "\n";
+	echo '    <dd><input type="radio" name="orientation" value="landscape"> '._("2-up");
+	echo '        <input type="radio" checked="checked" name="orientation" value="portrait"> '._("portrait").' '._("1-up").')';
+	echo '</dd>', "\n";
+	echo '    <dd><input type="radio" checked="checked" name="format" value="A4"> A4', "\n";
+	echo '        <input type="radio" name="format" value="A5"> A5', "\n";
+	echo '        <input type="radio" name="format" value="letter"> Letter '._("paper format");
+	echo '</dd>', "\n";
+	echo '    <dd><input type="radio" name="nocca" value="false"> '._("no");
+	echo '        <input type="radio" checked="checked" name="nocca" value="true"> '._("yes, the CCA is attached to the form.");
+	echo '</dd>', "\n";
+	echo '</dl>', "\n";
+	echo _("Submit the form").': <button type="submit" style="background-color: rgb(112, 154, 186); color: white;"> '._("generate PDF file");
+	echo '</button>', "\n";
+	echo '</p>', "\n";
+	echo '</form>', "\n";
+
+	echo '</body>', "\n";
+	echo '</html>', "\n";
+?>
diff --git a/cacert/www/cap.php b/cacert/www/cap.php
new file mode 100644
index 0000000..6b08d38
--- /dev/null
+++ b/cacert/www/cap.php
@@ -0,0 +1,291 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+	if($_SESSION['_config']['language'] != "ja_JP")
+	{
+		define('FPDF_FONTPATH','/usr/share/fpdf/font/');
+		require_once('/usr/share/ufpdf/fpdf.php');
+		class PDF2 extends FPDF
+		{
+		}
+	} else {
+		require('/usr/share/fpdf/japanese.php');
+		class PDF2 extends PDF_Japanese
+		{
+		}
+	}
+
+	class PDF extends PDF2
+	{
+		function Header()
+		{
+			$this->Image((array_key_exists('bw',$_REQUEST) && $_REQUEST['bw'])?'images/CAcert-logo-mono-1000.png':'images/CAcert-logo-colour-1000.png',8,8,100);
+			$this->SetFont('Arial','B',14);
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','',14);
+			$this->Cell(100);
+			$this->Cell(40,20,recode($_SESSION['_config']['recode'], _("CAcert Assurance Programme")));
+			$this->Ln(6);
+			$this->Cell(100);
+			$this->Cell(40,20,recode($_SESSION['_config']['recode'], _("Identity Verification Form")));
+			$this->Ln(10);
+
+			$this->SetY(36);
+			$this->SetFont('Arial','I',8);
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','I',8);
+			$this->Cell(0,0,'CAcert Inc. - P.O. Box 4107 - Denistone East NSW 2112 - Australia - http://www.CAcert.org',0,0,'C');
+			$this->Ln(3);
+			$this->SetFont('Arial','',6);
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','',6);
+			$this->Cell(0,0, recode($_SESSION['_config']['recode'], _("CAcert's Root Certificate fingerprints")).": A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B "._("and")." 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33",0,0,'C');
+			$this->SetLineWidth(0.05);
+			$this->Line(1, 43, $this->w - 1, 43);
+			$this->SetLineWidth(0.2);
+		}
+
+		function Footer()
+		{
+		}
+
+		function Body($name = "", $dob = "", $email = "", $assurer = "", $date = "", $maxpoints = "", $document1 = "", $document2 = "", $location = "")
+		{
+			if($date == "now")
+				$date = date("Y-m-d");
+
+			// Show text blurb at top of page
+			$this->SetY(45);
+			$this->SetFont('Arial','',10);
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','',10);
+			$this->Write(4,sprintf(recode($_SESSION['_config']['recode'], _("To the Assurer: The CAcert Assurance Programme (CAP) aims to verify the identities of Internet users through face-to-face witnessing of government issued identity documents. The Applicant asks you to verify to CAcert.org that you have met them and verified their identity against one or more original, trusted, government photo identity documents. If you have ANY doubts or concerns about the Applicant's identity, DO NOT COMPLETE OR SIGN this form. For more information about the CAcert Assurance Programme, including detailed guides for CAcert Assurers, please visit: %s")), "http://www.CAcert.org"));
+			$this->Ln(10);
+			$this->Write(4,recode($_SESSION['_config']['recode'], _("As the assurer, you are required to keep the signed document on file for 7 years. Should Cacert Inc. have any concerns about a meeting taking place, Cacert Inc. can request proof, in the form of this signed document, to ensure the process is being followed correctly. After 7 years if you wish to dispose of this form it's preferred that you shred and burn it. You do not need to retain copies of ID at all.")));
+			$this->Ln(10);
+			$this->Write(4,recode($_SESSION['_config']['recode'], _("It's encouraged that you tear the top of this form off and give it to the person you are assuring as a reminder to sign up, and as a side benefit the tear off section also contains a method of offline verification of our fingerprints.")));
+
+			// Assuree Section
+			$top = 120;
+			$this->Rect(11, $top, $this->w - 25, 60, "D");  //50 -> 60
+			$this->SetXY(11, $top + 5);
+			$this->SetFont("Arial", "BUI", "20");
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','BUI',20);
+			$this->Write(0, recode($_SESSION['_config']['recode'], _("Applicant's Statement")));
+			$this->Rect(13, $top + 10, $this->w - 29, 6, "D");
+			$this->Line(80, $top + 10, 80, $top + 16);
+			$this->SetXY(15, $top + 13);
+			$this->SetFont("Arial", "B", "12");
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','B',12);
+			$this->Write(0, recode($_SESSION['_config']['recode'], _("Names")).":");
+			if($name)
+			{
+				$this->SetXY(82, $top + 13);
+				$this->SetFont("Arial", '', "11");
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','',11);
+				$this->Write(0, $name);
+			}
+			$this->Rect(13, $top + 16, $this->w - 29, 6, "D");
+			$this->Line(80, $top + 16, 80, $top + 22);
+			$this->SetXY(15, $top + 19);
+			$this->SetFont("Arial", "B", "12");
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','B',12);
+			$this->Write(0, recode($_SESSION['_config']['recode'], _("Date of Birth")).": ");
+			$this->SetFont("Arial", "", "8");
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','',8);
+			$this->Write(0, "(".recode($_SESSION['_config']['recode'], _("YYYY-MM-DD")).")");
+			if($dob)
+			{
+				$this->SetXY(82, $top + 19);
+				$this->SetFont("Arial", "", "11");
+				if($_SESSION['_config']['language'] == "ja_JP")
+					$this->SetFont('SJIS','',11);
+				$this->Write(0, $dob);
+			}
+			$this->Rect(13, $top + 22, $this->w - 29, 6, "D");
+			$this->Line(80, $top + 22, 80, $top + 28);
+			$this->SetXY(15, $top + 25);
+			$this->SetFont("Arial", "B", "12");
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','B',12);
+			$this->Write(0, recode($_SESSION['_config']['recode'], _("Email Address")).":");
+			if($email)
+			{
+				$this->SetXY(82, $top + 25);
+				$this->SetFont("Arial", "", "11");
+				if($_SESSION['_config']['language'] == "ja_JP")
+					$this->SetFont('SJIS','',11);
+				$this->Write(0, $email);
+			}
+			$this->SetXY(13, $top + 32);
+			$this->SetFont("Arial", "", "9");
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','',9);
+			$this->MultiCell($this->w - 29, 3, recode($_SESSION['_config']['recode'], _("I hereby confirm that the information stated above is both true and correct, and request the CAcert Assurer (identified below) to verify me according to CAcert Assurance Policy.")));
+// new da start
+			$this->SetXY(13, $top + 42);
+			$this->SetFont("Arial", "", "9");
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','',9);
+			$this->MultiCell($this->w - 29, 3, recode($_SESSION['_config']['recode'], _("I agree to the CAcert Community Agreement.")." ( http://www.cacert.org/policy/CAcertCommunityAgreement.php )"));
+// new da end
+			$this->SetXY(13, $top + 55); //45->55
+			$this->Write(0, recode($_SESSION['_config']['recode'], _("Applicant's signature")).": __________________________________");
+			$this->SetXY(135, $top + 55);//45->55
+			$this->Write(0, recode($_SESSION['_config']['recode'], _("Date (YYYY-MM-DD)")).": ");
+			if($date == "")
+			{
+				$this->Write(0, "20___-___-___");
+			} else {
+				$this->SetFont("Arial", "U", "10");
+				if($_SESSION['_config']['language'] == "ja_JP")
+					$this->SetFont('SJIS','U',10);
+				$this->Write(0, str_pad($date, 13, " "));
+			}
+
+			// Assurer Section
+			$top += 65; // 55->65
+			$this->Rect(11, $top, $this->w - 25, 83, "D"); //63->93
+			$this->SetXY(11, $top + 5);
+			$this->SetFont("Arial", "BUI", "20");
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','BUI',20);
+			$this->Write(0, recode($_SESSION['_config']['recode'], _("CAcert Assurer")));
+			$this->SetFont("Arial", "", "9");
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','',9);
+			$this->SetXY(13, $top + 15);
+			if($assurer)
+			{
+				$this->Write(0, recode($_SESSION['_config']['recode'], _("Assurer's Name")).": ");
+				$this->SetFont("Arial", "", "10");
+				if($_SESSION['_config']['language'] == "ja_JP")
+					$this->SetFont('SJIS','U',10);
+//				$this->MultiCell($this->w - 70, 2, recode($_SESSION['_config']['recode'], $assurer));
+				$this->Write(0, str_pad($assurer, 50, " "));
+			} else {
+				$this->SetFont("Arial", "U", "10");
+				$this->Write(0, recode($_SESSION['_config']['recode'], _("Assurer's Name")).": ________________________________________________________________");
+			}
+			$this->SetFont("Arial", "", "9");
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','',9);
+			$this->SetXY(13, $top + 22);
+			$this->MultiCell($this->w - 34, 3, recode($_SESSION['_config']['recode'], _("Photo ID Shown: (ID types, not numbers. eg Drivers license, Passport)")));
+			$this->SetXY(13, $top + 30);
+			if($document1 == "")
+			{
+				$this->Write(0, "1. __________________________________________________________________");
+			} else {
+				$this->Write(0, "1. ");
+				$this->SetFont("Arial", "U", "10");
+				if($_SESSION['_config']['language'] == "ja_JP")
+					$this->SetFont('SJIS','U',10);
+				$this->Write(0, str_pad($document1, 90, " "));
+			}
+			$this->SetFont("Arial", "", "9");
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','',9);
+			$this->SetXY(13, $top + 35);
+			if($document2 == "")
+			{
+				$this->Write(0, "2. __________________________________________________________________");
+			} else {
+				$this->Write(0, "2. ");
+				$this->SetFont("Arial", "U", "10");
+				if($_SESSION['_config']['language'] == "ja_JP")
+					$this->SetFont('SJIS','U',10);
+				$this->Write(0, str_pad($document2, 90, " "));
+			}
+			$this->SetFont("Arial", "", "9");
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','',9);
+			$this->SetXY(13, $top + 45);
+			$this->Write(0, recode($_SESSION['_config']['recode'], _("Location of Face-to-face Meeting")).": ");
+			if($location == "")
+			{
+				$this->Write(0, "_____________________________________________");
+			} else {
+				$this->SetFont("Arial", "U", "10");
+				if($_SESSION['_config']['language'] == "ja_JP")
+					$this->SetFont('SJIS','U',10);
+				$this->Write(0, str_pad($location, 70, " "));
+			}
+			$this->SetFont("Arial", "", "9");
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','',9);
+			$this->SetXY(13, $top + 50);
+			if($maxpoints > 0)
+			{
+				$this->Write(0, recode($_SESSION['_config']['recode'], _("Maximum Points")).": ".$maxpoints);
+			} else {
+				$this->Write(0, recode($_SESSION['_config']['recode'], _("Points Allocated")).": ______________");
+			}
+			$this->SetFont("Arial", "", "9");
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','',9);
+			$this->SetXY(13, $top + 54);
+			$this->MultiCell($this->w - 33, 3, recode($_SESSION['_config']['recode'], _("I, the Assurer, hereby confirm that I have verified the Member according to CAcert Assurance Policy.")));
+			$this->SetXY(13, $top + 59);
+			$this->MultiCell($this->w - 33, 3, recode($_SESSION['_config']['recode'], _("I am a CAcert Community Member, have passed the Assurance Challenge, and have been assured with at least 100 Assurance Points.")));
+
+			$this->SetFont("Arial", "", "9");
+			if($_SESSION['_config']['language'] == "ja_JP")
+				$this->SetFont('SJIS','',9);
+			$this->SetXY(13, $top + 74);  //22->67
+			$this->Write(0, recode($_SESSION['_config']['recode'], _("Assurer's signature")).": __________________________________");
+			$this->SetXY(135, $top + 74); //22->67
+			$this->Write(0, recode($_SESSION['_config']['recode'], _("Date (YYYY-MM-DD)")).": ");
+			if($date == "")
+			{
+				$this->Write(0, "20___-___-___");
+			} else {
+				$this->SetFont("Arial", "U", "10");
+				if($_SESSION['_config']['language'] == "ja_JP")
+					$this->SetFont('SJIS','U',10);
+				$this->Write(0, str_pad($date, 13, " "));
+			}
+
+		}	
+	}
+
+	$format = array_key_exists('format',$_REQUEST)?$_REQUEST['format']:"";
+	if($format != "letter")
+		$format = "A4";
+
+	$maxpoints = array_key_exists('maxpoints',$_REQUEST)?intval($_GET['maxpoints']):0;
+	if($maxpoints < 0)
+		$maxpoints = 0;
+
+	$pdf = new PDF('P', 'mm', $format);
+	if($_SESSION['_config']['language'] == "ja_JP")
+		$pdf->AddSJISFont();
+	$pdf->Open();
+	$pdf->AddPage();
+	$pdf->Body(array_key_exists('name',$_REQUEST)?$_REQUEST['name']:"", array_key_exists('dob',$_REQUEST)?$_REQUEST['dob']:"", array_key_exists('email',$_REQUEST)?$_REQUEST['email']:"", array_key_exists('assurer',$_REQUEST)?$_REQUEST['assurer']:"", array_key_exists('date',$_REQUEST)?$_REQUEST['date']:"", $maxpoints, array_key_exists('document1',$_REQUEST)?$_REQUEST['document1']:"", array_key_exists('document2',$_REQUEST)?$_REQUEST['document2']:"", array_key_exists('location',$_REQUEST)?$_REQUEST['location']:"");
+	header("Expires: ".gmdate("D, j M Y G:i:s \G\M\T", time()+10800));
+	header("Content-Disposition: attachment; filename=cap.pdf"); 
+	header("Cache-Control: public, max-age=10800");
+	header("Pragma: cache");
+	$pdf->output();
+	exit;
+?>
diff --git a/cacert/www/capnew.php b/cacert/www/capnew.php
new file mode 100644
index 0000000..840fcca
--- /dev/null
+++ b/cacert/www/capnew.php
@@ -0,0 +1,1613 @@
+<?php
+/*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+//   $Id: capnew.php,v 1.2 2009-03-02 23:09:05 root Exp $
+define('REV', '$Revision: 1.2 $');
+
+/*
+**  Created from old cap.php 2003, which used the now obsoleted ftpdf package
+**  First created: 12 July 2008
+**  Last change: see Revision date
+**  Reviews:
+**     printed text by Ian Grigg and Teus Hagen (July 2008)
+**     layout/design by Teus Hagen and Johan Vromans (July 2008)
+**     coding by Teus Hagen and ...
+**
+**  Installation:
+**     std PHP lib:
+**         recode_string(), zcompress() (PHP-ZLIB) only used if present
+**         zcompress (pdf compression) gives performance loss, disable it?
+**     PDF generation package (tcpdf/tcpdf.php):
+**         TCPDF package + define the TCPDF_DIR install directory (GPL)
+**         tcpdf package is patched for text subtypes see tcpdf diff file.
+**         Add free embedding zapfdingbat font
+**         ttf2pt1 -F zapfdinbats.ttf -> zapfdingbats.utf metrics file
+**         php -q makefont.php zapfsdingbats.ttf zapfdingbats.utf -> .php,.ctg.z,.z
+**         install files: zapfdingbats.{php,z,ctg.z} in tcpdf/fonts dir
+**     UTF8 package for unicode (utf8/native/core.php):
+**         utf8_substr() only when package is found and needs to be used
+**     transliteration (and abbreviation):
+**         if full name has non-ascii char(s) try to use: utf8_to_ascii()
+**         First from transtab.php package which is Markus Kuhn compliant
+**           transtab.php is CAcert php package.
+**           Transtab depends on on its turn on UTF8 package.
+**         Secondly if not found utf8ascii lib tried (artistic license)
+**           http://sourceforge.net/projects/phputf8
+**           .../utf8_to_ascii-0.3.tar.gz
+**           see UTF8_ASCII definition for location requirements
+**         Thirdly: if not found transliteration feature is disabled.
+**
+**  policy documents for pdf inclusion:
+**    	define CCA file (default policy)
+**  LOGO: CAcert logo logos directory is LOGO
+**
+**  Functionality:
+**    Test: use environment variable settings as parameters for
+**     Assuree: names, dob, sign date, id types, email
+**       if name gets too long font size is increased to get it on one line
+**     Assurer: name, email, dob (mutual ass), sign date
+**     Assurance: location, date of assurance
+**     Form fields: javascript form fields with fields for printout and change
+**     Printout: printed, and completed for final signatures
+**     On transliteration and abbreviation of a name:
+**        if shoes a std way show accepted conversion as pdf comment
+**     Orientation: on landscape (dflt) print 2-up
+**     PDF URL links are used to web, wiki, and faq for more info search 
+**     Only on non-ascii chars in a name the utf8 routines are loaded
+**     PDF reader has wiki info url's and easy email feedback
+**  ENABLED:
+**     included is the CCA generates 2 extra pages (needs work to limit vert spacing)
+**
+**  For other re-use of some routines:
+**     abbreviate() abbreviate a name on std way
+**     transliterate() provide name in translated format in std way
+**
+**  For tests:
+**      environment settings (FORM, FORMAT, CCA, ...) define used test data
+**      In test modus variable path_url from tcpdf package unset warnings
+**      Set for operation modus TEST on false (or comment code out)
+**
+**  Future:
+**      digitally sign form and process it via network
+**
+**  unicode and UTF-8 support:
+**  php4/5 recode() is alias of recode_string() of PHP library
+**         If not provided: should check every string is transcoded?
+**         recode(), recode_string(0 is said to have too many (japanese) defeats
+**         recode_string() is only used on GET[] input (html->utf-8),
+**  UTF-8  use routines from http://www.sourceforge.net/projects/phputf8
+**         which replaces php recode() package. 
+**         on many places own utf-8 handling code exists and is loaded (tcpdf problem)
+**  _() translation routine. The returned HTML string is translated to utf-8 string.
+**  the GET() routines expects utf-8 code (see test defs) but might be changed
+**         to use html entity conversion routine of PHP (5.2 has a problem...).
+**
+**  PDF compression zlib: (now disabled)
+**      if PHP lib zcompress() is present, generated PDF is compressed
+**
+**  FONTS future use ? http://www.slovo.info/unifonts.htm? (not used now)
+**         or Bitstream Cyberbit http://www.orwell.ru/download/cyberbit.zip
+**         Latter font is no longer for free download
+**         For now: FreeVeraSans is used now and embedded (std in TCPDF package)
+**     ZapfDingbat font: some Open Source readers have bad font handling or
+**         no zapfdingbat font. So one is embedded
+**         To be generated with tooling in util directory.
+**
+**  TO DO, to CHECK and KNOWN PROBLEMS:
+**     Japanse package (maybe not needed with TCPDF?)
+**     CCA informal should be on one page (no CCA printed yet)
+**     form field checks, print button (Java script)
+**     data structs in Java script and globalize property settings
+**     XML
+**     timestamping, signatures and certificate usage
+**     list of recipients, encrypt the document and send it off
+**     On Acrobat 7.0: first form field call error (have work around)
+**     eps problem with logo (no eps logo yet)
+**     multi selection of ID types in form fields (value editable now)
+**     ugly capital char use in intro to bold or italic lowercase
+**     tables over page boundaries do not fully work yet
+**
+**  DEPENDENCIES:
+**  This PDF GENERATION package relies on the PHP PDF generation
+**  package of TCPDF source force project:
+**     http://sourceforge.net/projects/tcpdf/ V 4.0.007 18th July 2008
+**     The tcpdf software supports encryption, signatures, and form fields
+**     TCPDF is using URF-8 code (good!)
+**  The TRANSLITERATE code tables db (utf8ascii) is not compliant (!?) with
+**     Markus Kuhn <http://www.cl.cam.ac.uk/~mgk25/> -- 2001-09-02
+**     First is tried to use Markus his tables
+**     For a test file with all chars see there (it is also in tcpdf package).
+**  Both transliteration packages rely on UTF-8 code, only loaded when available and
+**     when really needed.
+**  PDF generation:  The alternative is the one from the std PHP library.
+**
+**  SECURITY:
+**  PHP libs: packages seems to download files on the fly into local filesystem!!!
+**
+**  All sizes (in mm) is related to A5 base, so other page formats are scaled.
+**
+**  Parameters (API):
+**     $_GET['date'] date of assurance and signature assuree
+**     $_GET['name'] first full name assuree default empty for upward compatibility
+**     $_GET['name1'] first full name assuree default empty equal to 'name' (new)
+**     $_GET['name<%d>'] etc. %d = 1-9 (new)
+**     $_GET['name1ID'] ID of first name (new)
+**     $_GET['name<%d>ID'] ID of second name (new)
+**     $_GET['name1Pnts'] assurance points for first name (new)
+**     $_GET['name<%d>Pnts'] assurance points for second name (new)
+**     $_GET['dob'] date of birth assuree default empty
+**     $_GET['document1'] ID type assuree default empty (deprecated)
+**     $_GET['document2'] second ID type assuree default empty (deprecated)
+**     $_GET['email'] email address assuree default empty
+**     $_GET['assurer'] full name assurer default empty
+**     $_GET['assurerdob'] date of birth assurer default empty (new)
+**     $_GET['assureremail'] email address assurer default empty (new)
+**     $_GET['assurerdate'] date of signature assurer (new)
+**     $_GET['assurancedate'] date of assurance (new)
+**     $_GET['location'] location of assurance
+**     $_GET['maxpoints'] max points allocated depends on assurer default 35
+**     $_GET['nocca'] do not print CCA on back side (dflt: false)
+**     $_GET['policy<%d>'] to include policy document(s) in pdf file %d = 1-9 (new)
+**     $_GET['noform'] do not print form (dflt: true) (new)
+**     $_GET['format'] paper format required A0-A6,Letter, Folio, B0-B6 (dflt A4)
+**     $_GET['watermark'] watermark on the page
+**     $_GET['orientation'] paper orientation default 'portrait'
+**     $_SESSION['_config']['language'] for 'ja_JP' japanese default != ja_JP
+**     $_SESSION['_config']['recode'] = 'format' recode() uses it: needed ?
+**     recode() is aliased to php lib function recode_string()
+**     $_REQUEST['bw'] if exists use black/white, default use colour
+**
+**  Output, package generates:
+**     PDF display screen is scaled to 150% A5 size
+**     PDF property fields have CAcert info
+**     on non empty _GET strings, the package generates prefilled form fields.
+**     PDF form field variables (Java Script):
+**     Assuree
+**        Assuree.Names[].Name   1..9
+**        Assuree.Names[].TypeID 1..9 language dependant (passport, ID card, etc.)
+**        Assuree.Names[].Points 1..9 points:empty, 0..max points (dflt max 35)
+**        Assuree.Email
+**        Assuree.DoB
+**        Assuree.Date     date of signature
+**     Assurer
+**        Assurer.Name string may have Assurer email address
+**        Assurer.Email
+**        Assurer.DoB
+**        Assurer.Date     date of signature
+**     Assurance
+**        Assurance.Location string may have date of meeting
+**        Assurance.Date   date of assurance
+**     Form Revision string is generated from RCS revision string.
+**     More info on PDF fields:
+**        http://www.adobe.com/devnet/acrobat/pdfs/js_developer_guide.pdf
+**     
+*/
+
+// use next define if you test this code
+define( 'TEST', true );
+// INSTALLATION DIRS OF PACKAGES ==============================
+// make sure packages are installed here
+define('RT','./');
+define('TCPDF_DIR', '/usr/share/tcpdf_php4');
+define('UTF8',RT.'/utf8/native/core.php');
+if( file_exists(RT.'/transtab.php') ) // wherever it is
+    define('UTF8_ASCII', RT.'/transtab.php');
+else
+    define('UTF8_ASCII', RT.'/utf8_to_ascii/utf8_to_ascii.php'); // optional
+// end operational special code defs
+
+if( defined( 'TEST' ) ) {
+    // ONLY FOR TEST PURPOSES =====================================
+    /* test data */
+
+    $_SESSION['_config']['recode'] = 'html..utf-8'; // ????
+    if( isset($_SERVER['LANG']) )
+        $_SESSION['_config']['language'] = $_SERVER['LANG'];
+
+    if( array_key_exists('FORMAT',$_SERVER) AND $_SERVER['FORMAT'] )
+        $_GET['format'] = $_SERVER['FORMAT'];
+    else {
+        //$_GET['format'] = 'A5'; // ok, default
+        //$_GET['format'] = 'Legal'; // ok
+        //$_GET['format'] = 'Folio'; // ok
+        //$_GET['format'] = 'Letter'; // letter little margin problem
+        //$_GET['format'] = 'A4'; // ok
+    }
+    if( array_key_exists('ORIENTATION',$_SERVER) AND $_SERVER['ORIENTATION'] )
+        $_GET['orientation'] = $_SERVER['ORIENTATION'];
+    else {
+        //$_GET['orientation'] = 'portrait'; // default 2 pages, or portrait
+    }
+    $_GET['nocca'] = isset($_SERVER['CCA']) ? $_SERVER['CCA'] : '';
+    //$_GET['policy1'] = 'policy/PolicyOnPolicy.php';
+    if( isset($_SERVER['FORM']) AND $_SERVER['FORM'] == 'noform' )
+        $_GET['noform'] = 'true';
+
+    if( array_key_exists('FORM',$_SERVER) AND $_SERVER['FORM'] != 'empty' ){
+        // assuree info part
+        $_GET['date'] = '2008-11-04';
+        $_GET['name'] = 'drs. T. Fabrice Ghuege-Denis'; // upwards competable
+        $_GET['name1'] = $_GET['name'];        // will void 'name'
+        $_GET['name1ID'] = 'rijbewijs';
+        //$_GET['name1Pnts'] = '';
+        $_GET['name2'] = 'drs. Teus F. Ghuege-Denis';    // second name
+        //$_GET['name2ID'] = '';
+        $_GET['name2Pnts'] = '10'; // seems not to work properly yet
+        $_GET['name3'] = 'Tänўs Iʼntèrnątiœñalîsàtïǿn Ĝügé'; // third, show of javascript error
+        $_GET['name3ID'] = 'paspoort';
+        $_GET['name3Pnts'] = '12';
+        $_GET['name8'] = 'This Should Be invisible';
+        $_GET['dob'] = '1945-10-06';
+        $_GET['document1'] = 'führerschein';
+        $_GET['document2'] = 'paspoort';
+        $_GET['email'] = 'tesu.hagaen@thesu.xs4all.eu';
+        // assurer info
+        $_GET['assurer'] = 'mr A. B. C. Äßurer';// one name only
+        $_GET['assurerdob'] = '2010-12-32';    // for mutual assurance
+        $_GET['assureremail'] = 'assurer.email@cacert.org'; // for mutual assurance
+        // meeting info
+        $_GET['location'] = 'Grubbenvorst, the Carabiën';
+        $_GET['assurerdate'] = '';
+        $_GET['assurancedate'] = '2008-12-31';
+        $_GET['maxpoints'] = '20';
+        $_GET['watermark'] = 'just an EXAMPLE';
+    } else {
+        //$_GET['ALL'] = 'empty';
+    }
+
+    //$_REQUEST[bw] = true;
+
+} // end of TEST code ===========================================================
+
+/* Directory settings for installation */
+// change next for directory settings for packages !!!!!!!!!!!!!!!!!!!!!!
+// set to correct internal path to TCPDF pakage installation
+// Make sure pdf generation package is not connecting internet for
+// whatever reason and downloading files into this host!!!!
+// UCPDF as well PHP PDF std package have unsecure code as well....
+require_once(TCPDF_DIR . '/config/lang/eng.php');
+require_once(TCPDF_DIR . '/tcpdf.php');
+
+// CAcert logo path/file name is extended with eg color, mono and format type
+define( 'LOGO','logos/CAcert-logo-');
+// eps should give better quality, LOGO_TYPE ->  .eps
+// eps does not work with CAcert logo, set to .eps when ok
+define( 'LOGO_DPI', '1000');
+define( 'LOGO_TYPE','-'.LOGO_DPI.'.png');
+// logo colors RGB hex
+define('BLUE', '#11568C');  // RGB 17 86 140
+define('LBLUE', '#ADC5D7'); // RGB 112 154 186
+define('LLBLUE','#D6E2EB'); // lighhter blue RGB 173 197 215
+define('LIME', '#C7FF00');  // RGB 199 255 0
+define('GREEN', '#00BE00'); // 0 190 0
+
+define('POBOX','CAcert Inc. - P.O. Box 4107 - Denistone East NSW 2112 - Australia');
+define('WEB', 'http://www.cacert.org');
+define('WIKI','http://wiki.cacert.org/wiki');
+define('ROOTKEYS','http://www.cacert.org/index.php?id=3');
+define('ASSCAP', WIKI.'/FAQ/AssuranceByCAP');
+define('ASSHBK', WIKI.'/AssuranceHandbook');
+define('ASSINFO', WIKI.'/FAQ/AssuranceInformationForCAP');
+define('ASSINTRO', WIKI.'/FAQ/AssuranceIntroduction');
+define('ASSORG', WIKI.'/OrganisationAssurance');
+define('ARBIT', WIKI.'/ArbitrationForum');
+// CAcert Community Agreement
+define('CCA', 'CAcertCommunityAgreement'); // default policy to print
+define('POLICY','policy/'); // default polciy doc directory
+define('EXT','.php'); // default polciy doc extention, should be html
+/* finger print CAcert Root Key */ // should obtain this automatically
+define('CLASS1_SHA1','135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33');
+define('CLASS3_SHA1','DB4C 4269 073F E9C2 A37D 890A 5C1B 18C4 184E 2A2D');
+// next two are not used on the form
+define('CLASS1_MD5','A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B');
+define('CLASS3_MD5','73:3F:35:54:1D:44:C9:E9:5A:4A:EF:51:AD:03:06:B6');
+// if on draft provide std message
+define('WATERMARK','');
+
+// other definitions for the form
+define('MAX_COLS', 2); // max coulumns per page Landscape is printed with 2-up
+// put next to 200 and it will disable printout
+define('MINH', 98.5); // in A5 mm is current estimated left over space on one page
+define('H', 5); // height of a name entry field
+//set margins
+define('MARGIN',11.296); // 2-up will be scaled
+// base of font size
+define( 'F_SIZE', 7 );
+
+define('DFL_FORMAT', 'html..utf-8');
+
+// enviroment dependent constants
+// Japanese is not supported?
+if( array_key_exists('_config', $_SESSION) ) {
+    if( isset($_SESSION['_config']['language']) ) {
+        if($_SESSION['_config']['language'] == 'ja_JP')
+            define('FONT','SJIS');
+        else define( 'FONT', 'freesans');
+    }
+    else define( 'FONT', 'freesans');
+}
+else
+    //define( 'FONT', 'dejavusans');
+    define( 'FONT', 'freesans');
+
+// generate black/white?
+if(array_key_exists('bw',$_REQUEST))
+    define('BW', true);
+else
+    define('BW', false);
+
+// function is left in tact, but to new tcpdf code UFT-8 is fully supported now.
+function my_recode($strg = NULL )
+{
+    static $format = NULL;
+    if( $strg == NULL OR !$strg ) return ( '' );
+    if( $format == NULL ) {
+         if( array_key_exists('_config', $_SESSION) ) {
+             if( isset( $_SESSION['_config']['recode'])  )
+                 $format = $_SESSION['_config']['recode'];
+             else $format = DFL_FORMAT;
+         }
+         else $format = DFL_FORMAT;
+    }
+    // newer tcpdf package is full UTF-8 Voided by this package?
+    if( function_exists('recode_string' ) )
+        return ( recode_string($format, $strg) );
+    else return( $strg );
+}
+
+// return TRUE if string is ascii and not device control chars specialized for
+// personal names (no device controls)
+function utf8_is_ascii_ctrl($str) {
+    if ( strlen($str) > 0 ) {
+        // Search for any bytes which are outside the ASCII range,
+        // or are device control codes
+        //return (preg_match('/[^\x09\x0A\x0D\x20-\x7E]/',$str) !== 1); deleted \r and \n
+        return (preg_match('/[^\x09\x20-\x7E]/',$str) !== 1);
+    }
+    return FALSE;
+}
+
+
+// extend TCPF with custom functions
+class CAPPDF extends TCPDF {
+
+    // do cap form version numbering automatically '$Revision: 1.2 $'
+    /*public*/ function Version() {
+	strtok(REV, ' ');
+        return(strtok(' '));
+    }
+
+    /*public*/ function myHeader( $msg = NULL, $url = NULL )
+    {
+	static $my_url = NULL;
+	if( $msg != NULL ) {
+	    $this->my_header_msg = $msg; $my_url = $url; return;
+        }
+	if( $this->my_header_msg == NULL ) return;
+	if( $this->msg_page_nr > 0 ) {
+	    $font_fam = $this->FontFamily;
+	    $font_style = $this->FontStyle.($this->underline ? 'U' : '').($this->linethrough ? 'D' : '');
+	    $font_size = $this->getFontSize();
+            $this->SetFont(FONT,'', F_SIZE-1);
+            $this->setXY($this->lMargin, MARGIN-3);
+            $this->Cell($this->colwidth, 3,$this->my_header_msg, 0, 0, 'R');
+	    if( !empty($font_fam ) )
+		$this->SetFont($font_fam,$font_style,$font_size);
+            if( $my_url != NULL AND $my_url != '' )
+                $this->myLink($this->lMargin+$this->colwidth/2,$this->lMargin-4,$this->colwidth,(F_SIZE+5)/2.9,$my_url);
+	}
+        $this->setXY($this->lMargin, MARGIN+3);
+	$this->y0 = $this->getY();
+    }
+
+    // undefine default header and footer handling
+    // default routines do not handle columns
+    function Footer() { }
+    function Header() { }
+    function Mark( $string = '' ) {
+	return array( $string, 1+substr_count($string,'.') );
+    }
+
+    /*public*/ function myFooter( $msg = NULL, $url = NULL )
+    {
+	static $my_url = NULL;
+	if( $msg != NULL ) {
+	    $this->my_footer_msg = $msg; $this->msg_page_nr = 0;
+	    $my_url = $url; return;
+	}
+        if( $this->my_footer_msg == NULL ) return;
+        $this->InFooter = true;
+	$this->msg_page_nr++;
+	$font_fam = $this->FontFamily;
+	$font_style = $this->FontStyle.($this->underline ? 'U' : '').($this->linethrough ? 'D' : '');
+	$font_size = $this->getFontSize();
+        $this->SetFont(FONT,'', F_SIZE-1);
+        if( $this->msg_page_nr > 1 ) {
+            $this->SetXY($this->lMargin, $this->GetPageHeight()/$this->scale*100.0-6);
+            $this->Cell($this->colwidth, 3,
+                    sprintf("%s %d", $this->unhtmlentities( _('page') ), $this->msg_page_nr),
+                            0, 0, 'C');
+        }
+        if( $this->my_footer_msg != '' ) {
+            $strg =  '© '. date('Y'). ' CAcert Inc.'.', '. $this->my_footer_msg;
+            $this->SetXY($this->lMargin+MARGIN/2, $this->GetPageHeight()/$this->scale*100.0-6);
+            $this->Cell($this->colwidth, 3, $strg, 0, 0, 'R');
+            if( $my_url != NULL AND $my_url != '' )
+                $this->myLink($this->lMargin+MARGIN/2,$this->GetPageHeight()/$this->scale*100.0-6,$this->colwidth,(F_SIZE+5)/2.9,$my_url);
+	}
+        if( $this->Watermark != '' ) {
+            $this->StartTransform();
+            $savex = $this->GetX(); $savey = $this->GetY();
+            $this->SetFont(FONT,'', F_SIZE*7);
+            $l = $this->GetStringWidth($this->Watermark);
+            $h = $this->GetPageHeight()/$this->scale*100.0/2;
+            $w = $this->colwidth/2+MARGIN;
+            $this->SetXY(0,0);
+            $this->TranslateY($h+(F_SIZE*7)/2.9);
+            $this->TranslateX($w-MARGIN+$this->lMargin);
+            $this->Rotate(rad2deg(atan($h/$w)));
+            $this->Text(-$l/2,0,$this->Watermark, 0.8);
+            $this->StopTransform();
+            $this->SetXY($savex,$savey);
+         }
+
+	 if( !empty($font_fam ) )
+	     $this->SetFont($font_fam,$font_style,$font_size);
+        $this->InFooter = false;
+    }
+
+    // user and print preferences
+    // NumCopies, PrintPageRange, DisplayDocTitle, HideMenuBar, HideToolBar, ...
+    /*public*/ var $ViewerPrefs = array(
+        'Duplex' => 'Simplex',
+        'NumCopies'=> 2,
+        'DisplayDocTitle' => 'CAcert Assurance Programme (CAP)',
+        'HideToolBar' => true,
+	'FitWindow' => true,
+    );
+
+    //number of colums
+    /*protected*/ var $ncols=1;
+    
+    // columns width
+    /*protected*/ var $colwidth=0;
+
+    // space between columns
+    /*protected*/ var $column_space = 0;
+    
+    //Current column
+    /*protected*/ var $col=0;
+    
+    //Ordinate of column start
+    /*protected*/ var $y0;
+
+    // scaling factor
+    /*protected*/ var $scale = 100.0;
+
+    // print header and footer
+    /*protected*/ var $my_footer_msg = NULL;
+    /*protected*/ var $my_header_msg = NULL;
+    /*protected*/ var $msg_page_nr = 0;
+
+    // print short watermark on the page
+    /*public*/ var $Watermark = WATERMARK;
+
+    /*public*/ function SetFormat( $format = 'a5' ) {
+        switch( strtolower($format) ) {
+        // there is some scale problems with margins...
+        case 'a1':
+        case 'b1':
+		$this->scale *= 1.4142;
+        case 'a2':
+        case 'b2':
+		$this->scale *= 1.4142;
+        case 'a3':
+        case 'b3':
+		$this->scale *= 1.4142; break;
+        case 'a5':
+        case 'b5':
+		$this->scale /= 1.4142; break;
+        case 'letter':
+                $this->scale *= 0.97; break;
+        default: $format = 'a4';
+        case 'a4':
+        case 'b4':
+        case 'folio':
+        case 'legal':
+            break;
+        }
+        $this->SetDisplayMode(intval($this->scale), 'SinglePage', 'UseOC');
+        return( $format );
+    }
+        
+    //Set position at a given column
+    /*private*/ function SetCol($col = -1) {
+        static $pagecolwidth = 1.0;
+        static $column_space = 1.0;
+
+        $this->InFooter = true;
+        if( $col == -1 ) $col = $this->col+1;
+        if( $this->colwidth == 0 ) {
+            // only once at start; set default values
+            //set margins
+            $this->addPage(); $col = 0; // reset to zero
+            $this->SetMargins(MARGIN, MARGIN, MARGIN);
+            if( $this->CurOrientation != 'L' ) {
+                $this->scale *= 1.4142;
+                $this->ScaleXY($this->scale,0,0);
+            } else {
+                $this->scale *= 1.0;
+                $this->ScaleXY($this->scale,0,0);
+            }
+            $this->ncols = $this->CurOrientation == 'L'? MAX_COLS : 1;
+            $this->colwidth = $this->w / $this->scale * 100 / $this->ncols - MARGIN*2;
+            $pagecolwidth = $this->w/$this->ncols;
+            // space between columns
+            if ($this->ncols > 1) {
+                $column_space = round((float)($this->w - ($this->ncols * $pagecolwidth)) / ($this->ncols - 1));
+            } else {
+                $column_space = 0;
+            }
+            $this->y0 = $this->GetY();
+        }
+        else {
+	    if( $col == $this->col ) { // reset on close of this column
+	        $x = MARGIN + $this->col*($pagecolwidth+$column_space);
+                $this->SetLeftMargin($x);
+                //$this->SetRightMargin($this->w - $x - $this->colwidth);
+            }
+            $this->PrintTable('', -1); // if pending table close up table
+	    $this->myFooter(); // print footer msg if defined
+        }
+        if( $col >= $this->ncols ) {
+                $this->addPage(); $col = 0; 
+                $this->ScaleXY($this->scale,0,0);
+                $this->y0 = 0;  //no header/footer done...
+        } elseif ( $col > 0  AND $col < $this->ncols) {
+                // print column separator
+                $x = $this->w/$this->ncols*($this->col+1);
+                $y = $this->tMargin;
+                $this->SetLineWidth(0.1); $this->SetDrawColor(195);
+                $this->SetLineStyle(array('dash'=>'1,8') ); // gray dotted
+                $this->Line( $x, $y+27, $x, $y+185);
+                $this->SetLineWidth(0.2); $this->SetDrawColor(0);
+                $this->SetLineStyle(array('dash'=>'0') );
+        }
+        $this->col = $col;
+        // X position of the current column
+        $x = MARGIN + $col*($pagecolwidth+$column_space);
+        $this->SetLeftMargin($x);
+        $this->SetRightMargin($this->w - $x - $this->colwidth);
+        $this->SetXY($x, $this->y0);
+	$this->myHeader(); //print header msg if defined
+        $this->PrintTable('', 0); // if in table reprint title table
+        $this->InFooter = false;
+    }
+    
+    //Method accepting or not automatic page break
+    /*public*/ function AcceptPageBreak() {
+       $this->SetCol();
+       return false;
+    }
+
+    // redefine this routine from tcpdf.php due to scaling bug
+    /*protected*/ function checkPageBreak($h) {
+       if (((($this->y + $h)*$this->scale/100.0) > $this->PageBreakTrigger) ) {
+           if ( !$this->InFooter ) {
+               if ( ($this->AcceptPageBreak())) {
+                   $rs = '';
+                   //Automatic page break
+                   $x = $this->x;
+                   $ws = $this->ws;
+                   if ($ws > 0) {
+                       $this->ws = 0;
+                       $rs .= '0 Tw';
+                   }
+                   $this->AddPage($this->CurOrientation);
+                   if ($ws > 0) {
+                       $this->ws = $ws;
+                       $rs .= sprintf('%.3f Tw', $ws * $k);
+                   }
+                   $this->_out($rs);
+                   $this->y = $this->tMargin;
+                   $this->x = $x;
+               }
+            }
+        }
+    }
+
+    /*private*/ function myLine( $x1 = 0, $y1 = 0, $x2 = 0, $y2 = 0 ) {
+        if ( BW ) {
+             $this->SetDrawColor(195);
+        } else {
+            $this->SetDrawColor(173,197,215);
+        }
+        $this->SetLineWidth(0.1); // small line in points collumn
+        $this->Line($x1, $y1, $x2, $y2 );
+        $this->SetLineWidth(0.2); $this->SetDrawColor(0);
+
+    }
+
+    /*private*/ function S( $value = 1.0 ) {
+        return( $value * $this->scale / 100.0 );
+    }
+
+    // put Link in user space
+    /*private*/ function myLink( $x, $y, $w, $h, $Lnk = NULL, $Type = array('SubType'=>'Link') ) {
+        if( $Lnk == NULL ) return;
+        if( $Lnk == '' ) $Lnk = WEB;
+        $this->Annotation( $this->S($x), $this->S($y), $this->S($w), $this->S($h), $Lnk, $Type);
+    }
+
+
+    //require_once('../utf8/native/core.php');
+    // only for to upper case //require_once('../utf8/utils/unicoe.php');
+
+    //setlocale(LC_ALL, 'de_DE');
+    // try to abbreviate a full name, returns name if abbreviation was/is done
+    // has pointers to sur name, first name, avoids titles and extentions
+    // is based that given names and family names starts with capital
+    // all names between first given name and surname are secondary names
+    // will use utf8 routines only when needed and available
+    /*private*/ function Abbreviate( $name = '') {
+        // need to change this for utf8 uppercase detection
+        // substr and strtoupper arte dependent of setlocale...
+        $substr = 'substr';
+        $strtoupper = 'strtoupper';
+        $tokens = array();
+        $cnt = preg_match_all('/([^\s\.]+\.|[^\s\.]+)/', $name, $tokens, PREG_SET_ORDER);
+        if( $cnt <= 0 ) return ( $name );
+        $fam = -1; $married = 0;  $i = 0; $success = FALSE; $first_name = -1;
+        for( $j = 0; $j < $cnt ; $j++ ) {
+            $tk = $tokens[$j];
+            $nm = $tk[0]; if( $nm == '' ) continue;
+            // not utf8
+            $ltr = $substr( $nm, 0, 1 );
+            if(preg_match('/[^\x09\x20-\x7E]/',$ltr) !== 1  AND // it is utf8
+              function_exists( 'utf8_substr') ) {
+                $substr='utf8_substr';
+                //$strtoupper = 'utf8_strtoupper'; // requires utf8/utils/unicode.php
+            }
+            if( $strtoupper($ltr) != $ltr ) continue; // lower case setlocale dependent
+            elseif( preg_match('/\./', $nm ) ) {
+                if( $first_name < 0 ) $first_name = $j;
+                if( $first_name >= 0 ) $success = TRUE; // was abbreviated
+                continue; // title 
+            }
+            if( $first_name < 0 ) $first_name = $j;
+            if( $married == 0 ) $fam = $j;
+            if( preg_match('/[-_]/', $nm ) ) {
+                // find special markers
+                if( $married == 0 ) $fam = $j;
+                $married++;
+            }
+        }
+        $name = '';
+        for( $j = 0; $j < $cnt; $j++ ){
+            $tk = $tokens[$j];
+            if( !isset($tk[0]) ) continue;
+            $nm = $tk[0]; if( $nm == '' ) continue;
+            if( $name != '') $name .= ' ';
+            $ltr = $substr( $nm, 0, 1 );
+            if( $j == $fam ) $name .= $nm;
+            elseif( $strtoupper($ltr) != $ltr )  $name .= $nm; // lower case
+            elseif( preg_match('/\./', $nm ) ) $name .= $nm;
+            elseif( $j < $fam ) { // need to abbreviate
+                 // not utf8
+                 // and abbreviate 
+                if( $j == $first_name )
+                    $abr = '('. $substr( $nm, 1 ) . ')';
+                else $abr = '.';
+                $name .= $ltr . $abr; $success = TRUE; // is abbreviated
+            } else $name .= $nm;
+        }
+        $ext = -1; for( $j = $cnt-1; $j >= 0 AND $j >= $fam; $j-- ) {
+            // try to find family names and see if there is abbreviation
+            $tk = $tokens[$j];
+            if( !isset($tk[0]) ) continue;
+            $nm = $tk[0];
+            if( $ext < 0 AND preg_match('/(^[^A-Z]|\.)/', $nm ) ) continue;
+            if( $ext < 0 ) $ext = $j+1;
+            if( preg_match('/\./', $nm ) ) {  $success = TRUE; break; } 
+        }
+        return( $success? $name : '' ); // and return abbriviated name
+    }
+
+    // set formfield coordinates
+    // this routine is needed due to field ordinates are not scaled and in user space
+    // to be called before form field call (or as width parameter)
+    // and just after with true argument to restore X Y ordinates.
+    /*private*/ function SetFieldXY( $x=NULL, $y=NULL, $w=0) {
+        static $savex;
+        static $savey;
+        static $restored = true;
+        $restoreXY =  $x == NULL ? true : false;
+
+	if( $restored == $restoreXY )
+            $this->Error("internal Form Field save/restore error\n");
+        if( !$restoreXY ) {
+	    /* save X Y ordinates */
+            $savex = $this->GetX(); $savey = $this->GetY();
+            // scale to user ordinates
+            $this->SetY( $this->S($y));
+            $this->SetX( $this->S($x));
+        } else {
+            /* restore X Y ordinates */
+            $this->SetY( $savey); // different from SetXY()
+            $this->SetX( $savex); // different from SetXY()
+        }
+        $restored = $restoreXY;
+        return( $this->S($w) );
+    }
+
+    // print Date  on left or right side
+    /*private*/ function PrintDate( $x=10, $y=10, $dstrg='teus', $dvalue='1945-10-6', $field = NULL , $RL = 'L')
+    {
+        static $TextProps = array('strokeColor' => LLBLUE, 'value' => '', 'fillColor' => LBLUE , 'textSize' => '11', 'charLimit'=> 10);
+        // next statements will cause php to go into an infinite loop
+        //if( $dstrg != NULL AND $dstrg == '')
+        //     $TextProps['userName'] = $this->unhtmlentities( _("On mutual assurance provide Assurer date of birth (yyyy-mm-dd)") );
+        //else
+            $TextProps['userName'] = $this->unhtmlentities( _("yyyy-mm-dd") );
+
+        $this->SetFont( FONT, '', F_SIZE);
+        $this->SetXY($RL == 'L'? $x : $x-50, $y);
+        $this->Cell(50, 3, $dstrg, 0, 0, $RL);
+        if($dvalue) {
+            $this->SetXY($RL == 'L'? $x :$x-50, $y+3.5);
+            $this->SetFont(FONT, 'B', F_SIZE);
+            $this->Cell(50, 3, $dvalue, 0 , 0, $RL);
+        }
+        if( $field == NULL ) return;
+        $TextProps['value'] = $dvalue;
+        $this->TextField($field, $this->SetFieldXY(($RL == 'L'? $x+1 : $x-17), ($y+3.5),17), 5, $TextProps );
+        $this->SetFieldXY();
+    }
+
+    // Add import HTML text  eg from CCA
+    /*private*/ function PrintHTML( $url = NULL ) {
+            if( $url == NULL OR $url == '' ) return;
+            $error = ''; $title = ''; $url = POLICY.$url.EXT;
+	    if( ! file_exists($url) ) $url = WEB.'/'.$url;
+            $data = file_get_contents($url);
+            if( !$data ) $error = "\nInternal Error: no ".$url.' found.';
+            else {
+		$regs = array();
+		preg_match('/<[Tt][Ii][Tt][Ll][Ee][^>]*>/', $data, $regs);
+                if( count($regs) < 1 ) $error .= "\nInternal Error: no open tag title found on $url.";
+		else {
+		    $start = strpos($data, $regs[0]) + strlen($regs[0]);
+		    $data = substr($data, $start);
+		}
+		$regs = array();
+		preg_match('/<\/[Tt][Ii][Tt][Ll][Ee][^>]*>/', $data, $regs);
+                if( count($regs) < 1 ) $error .= "\nInternal Error: no close title tag found on $url.";
+		else {
+		    $end = strpos($data, $regs[0]);
+		    $title = trim(substr($data,0,$end));
+		    $data = substr($data, $end+strlen($regs[0]));
+		}
+                $regs = array();
+                preg_match('/<[Bb][oO][Dd][yY][^>]*>/', $data, $regs);
+                if( count($regs) < 1 ) $error .= "\nInternal Error: no open html body tag found on $url.";
+                else {
+                    $start = strpos($data, $regs[0]) + strlen($regs[0]);
+                    $data = substr($data, $start);
+                }
+                $regs = array();
+                preg_match('/<\/[Bb][oO][Dd][yY][^>]*>/', $data, $regs);
+                if( count($regs) < 1 ) $error .= "\nInternal Error: no closing html body tag found on $url.";
+                else {
+                    $end = strpos($data, $regs[0])-1;
+                    $data = substr($data, 1, $end);
+                }
+            }
+            if( !$title ) $title = $url;
+            $this->SetCol();
+            $this->setFont(FONT, F_SIZE);
+            if( !$error ) {
+                $this->PrintHeader($this->unhtmlentities( _($title) ), $this->unhtmlentities( _('policy document') ), strncmp($url,WEB,strlen(WEB))==0? $url : (WEB.'/'.$url));
+                if( $title ) $this->Bookmark($title,0);
+                $this->writeHTMLCell($this->colwidth,2.5,$this->lMargin+1,$this->GetY()+2.5,
+                   $data, 0,2,0,'L');
+            }
+            else
+                $this->MultiCell($this->colwidth, 3, $error);
+    }
+
+    /*private*/ function PrintCAP($assuree = NULL, $assurer = NULL, $assurance = NULL, $page = NULL ) {
+        $this->SetCol();
+        $this->PrintHeader($this->unhtmlentities( _('CAcert Assurance Programme') ), $this->unhtmlentities( _('Identity Verification Form (CAP) form') ), defined('ASSCAP')?ASSCAP:'',defined('WEB')? WEB.substr(__FILE__, strrpos(__FILE__,'/')) : '');
+	// define slightly different footer message
+        $this->myFooter('V'. substr($this->Version(), 0, strpos($this->Version(), '.')).', '. $this->unhtmlentities( _('generated') ).' '.date('Y-n-j'), NULL);
+        $this->AssuranceInfo($assurance);
+        $this->InfoAssuree($assuree, $assurer, $assurance);
+        $this->StatementAssuree( $assuree['date']);
+        $this->StatementAssurer( $assurer, $assurance );
+    }
+    
+    //Add form and/or CCA (on duplex only when more as one page is printed)
+    /*public*/ function PrintForm( $assuree = NULL, $assurer = NULL, $assurance = NULL, $page = NULL ) {
+
+        for($cnt=0  ; $cnt < $this->ncols; $cnt++ ) {
+            if( !isset( $page['form']) OR $page['form'] ) {
+	        // the form is one page, use new room?
+                if ( $assuree == NULL OR $assurer == NULL OR $assurance == NULL )
+                    $this->Error('Assuree or Assurer data records failure');
+                $this->PrintCap( $assuree, $assurer, $assurance);
+            }
+
+	    // print off policy documents to be included in pdf file
+	    foreach( $page['policies'] as $i => $file ) {
+		$this->Watermark = WATERMARK; // no watermark on these pages
+		if( $file ) $this->PrintHTML( $file );
+            }
+	    if( $this->col > 0 OR $this->getPage() > 1 ) break;
+         }
+         if(  $this->getPage() > 1 ) {
+             // and on duplex print back side with Community Agreement
+             if( $this->CurOrientation == 'P' )
+                 $this->ViewerPrefs['Duplex'] = 'DuplexFlipLongEdge';
+             else
+                 $this->ViewerPrefs['Duplex'] = 'DuplexFlipShortEdge';
+         }
+	 // close up this column, make sure footer is printed.
+	 $this->my_header_msg = NULL; $this->SetCol($this->col);
+    }
+
+// Set form title (right align)
+/*public*/ function PrintHeader($title1 = ' ', $title2 = ' ' , $url1 = NULL, $url2 = NULL) {
+            // store current top margin value
+            $tSide = $this->tMargin;
+
+            // CAcert logo
+            // eps should be better, but it does not seem to work with CAcert logo
+            $this->rMargin -= 1;
+	    $this->myFooter($title1,$url1);
+	    $this->myHeader($title2,$url2);
+	    if( LOGO_TYPE == '.eps' )
+                $this->ImageEPS(BW?LOGO.'mono'.LOGO_TYPE:LOGO.'colour'.LOGO_TYPE,
+                                ($this->lMargin+$this->colwidth)-51,$tSide-3,51);
+            else
+                // png image 1000 X 229 * 8 bits
+                $this->Image(BW?LOGO.'mono'.LOGO_TYPE:LOGO.'colour'.LOGO_TYPE,
+                                ($this->lMargin+$this->colwidth)-51,$tSide-3,51,0,0,
+                                NULL,0,true,intval(LOGO_DPI));
+            $this->myLink($this->lMargin+$this->colwidth-51, $tSide-3,51,51/1000*229,WEB);
+            // form type
+            $this->SetFont(FONT,'B',F_SIZE+5);
+            $this->SetY($tSide+5); $this->SetX($this->lMargin);
+            $l = $this->GetStringWidth($title1);
+            $this->Cell($this->colwidth+1,14,$title1,0,0,'R',0,NULL);
+	    if( $url1 != NULL AND $url1 != '' )
+                $this->myLink($this->lMargin+$this->colwidth-$l,$this->GetY()+5,$l,(F_SIZE+5)/2.9,$url1);
+            $this->Ln(5); $this->SetX($this->lMargin);
+            $l = $this->GetStringWidth($title2);
+            $this->Cell($this->colwidth+1,14,$title2,0,0,'R',0,NULL);
+	    if( $url2 != NULL AND $url2 != '' )
+                $this->myLink($this->lMargin+$this->colwidth-$l,$this->GetY()+5,$l,(F_SIZE+5)/2.9,$url2);
+
+            // CAcert Inc. postbox address
+            $this->Ln(6); $this->SetX($this->lMargin);
+            $this->SetFont(FONT,'',F_SIZE);
+            $savex = $this->GetX(); $savey = $this->GetY();
+            $strg = POBOX .' - '. WEB;
+            $this->SetXY($this->lMargin+$this->colwidth-$this->GetStringWidth($strg)-1.1,$this->GetY()+3.5); // right align
+            if( !BW ) $this->SetTextColor(17,86,140);
+            $ret = $this->Write(0,  $strg, NULL);
+            $l = $this->GetStringWidth($strg);
+            $this->myLink($this->lMargin+$this->colwidth-$l,$this->GetY()+0.5,$l,F_SIZE/2.9,WEB);
+            $this->Ln();
+            if( !BW ) $this->SetTextColor(0);
+            $this->SetXY($savex,$savey);
+
+            // sha1 fingerprint CAcert rootkeys class 1 and class 3
+            $strg = $this->unhtmlentities( _("CAcert's Root Certificate sha1 fingerprints") ) . ', class 1: '. CLASS1_SHA1 . ', class 3: ' . CLASS3_SHA1;
+            $this->Ln(3); $this->SetX($this->lMargin);
+            $this->SetFont(FONT,'',F_SIZE * $this->colwidth / ($this->GetStringWidth($strg) +1));
+            $this->Cell($this->colwidth,10, $strg,0,0,'C',0,NULL);
+            $this->myLink($this->lMargin, $this->GetY()+4,$this->colwidth,F_SIZE/2.9,ROOTKEYS);
+            $this->SetLineWidth(0.1);
+            if ( BW ) { $this->SetDrawColor(195);
+            } else { $this->SetDrawColor(17,86,140);
+            }
+
+            $this->Line($this->lMargin, $tSide+25, $this->lMargin+$this->colwidth, $tSide+25);
+            $this->SetLineWidth(0.2); $this->SetDrawColor(0);
+            $this->rMargin += 1;
+            $this->SetXY($this->lMargin, $tSide+26); // top
+    }
+
+// Set general form information
+    /*private*/ function PrintInfo( $strg = '', $url = '') {
+            // store current margin values
+
+            // Print text blurb paragraph at top of page
+            $this->SetFont(FONT,'',F_SIZE+0.5);
+            $this->SetXY($this->lMargin, $this->GetY()-1.5);
+            $y = $this->GetY(); $x = $this->GetX();
+            $cnt=$this->MultiCell($this->colwidth+1, 0, $strg,0,'L',0,2);
+            if ( $url != '' ) // link should be in user space
+                $this->myLink($x, $y, $this->colwidth, $this->GetY()-$y, $url);
+            return($cnt);
+    }
+
+// print general CAP info
+/*public*/ function AssuranceInfo( $assurance = NULL ) {
+            // store current margin values
+            $cellcnt = 0;
+            $this->SetY($this->GetY()+0.5);
+            $this->Bookmark($this->unhtmlentities( _('CAcert CAP form') ),0,$this->S($this->GetY()));
+
+            // Show text blurb at top of page
+            $strg = $this->unhtmlentities( _('The CAcert Assurance Programme (CAP) aims to verify the identities of Internet users through face to face witnessing of government-issued photo identity documents.') );
+            $strg .= ' '. $this->unhtmlentities( _("The Applicant asks the Assurer to verify to the CAcert Community that the Assurer has met and verified the Applicant's identity against original documents.") );
+            $strg .= ' '. $this->unhtmlentities( _('Assurer may leave a copy of the details with the Applicant, and may complete and sign her final form after the meeting.') );
+            $strg .= ' '. $this->unhtmlentities( _("If there are any doubts or concerns about the Applicant's identity, do not allocate points. You are encouraged to perform a mutual Assurance.") );
+            $cellcnt += $this->PrintInfo( $strg, defined('ASSINTRO')? ASSINTRO:'');
+            $cellcnt += $this->PrintInfo( $this->unhtmlentities( _('For more information about the CAcert Assurance Programme, including detailed guides for CAcert Assurers, please visit:') ).' '.WEB, defined('ASSCAP')?ASSCAP:'');
+            $cellcnt += $this->PrintInfo( $this->unhtmlentities( _('A CAcert Arbitrator can require the Assurer to deliver the completed form in the event of a dispute. After 7 years this form should be securely disposed of to prevent identity misuse. E.g. shred or burn the form. The Assurer does not retain copies of ID at all.') ),defined('ARBIT')?ARBIT:'');
+            $cellcnt += $this->PrintInfo( $this->unhtmlentities( _('For the CAcert Organisation Assurance Programme there is a separate special COAP form.') ),defined('ASSORG')?ASSORG:'');
+            $this->SetY($this->GetY()-0.1);
+            $this->PrintLocation( $assurance );
+            $this->SetY($this->GetY()+1);
+
+        }
+
+    // print empty table with title for statements (called twice per table)
+    /*private*/ function PrintTable( $strg = NULL, $height = -1, $ext = 0 ) {
+        // store current margin values
+        static $tSide = -1;
+        static $title = '';
+        if( $height < 0 ) { // mark table position, leave room for title
+            if( $strg != '' ) $title = $strg;
+            if( $title == '' ) return ($this->GetY()); // nothing to do
+            $tSide = $this->GetY()+1;
+	    // background
+            if ( BW ) {
+                $this->SetFillColor(195);
+                $this->SetDrawColor(195);
+            } else {
+                $this->SetFillColor(173,197,215);
+                $this->SetDrawColor(173,197,215);
+            }
+            $this->Rect($this->lMargin-1,$tSide-1,1,9, 'F');
+            $this->Rect($this->lMargin-1,$tSide-1,$this->colwidth,1, 'F');
+            $this->SetFillColor(255);
+            if ( BW ) { $this->SetFillColor(125);
+            } else { $this->SetFillColor(17,86,140);
+            }
+            $this->Rect($this->lMargin,$tSide,$this->colwidth,7, 'DF');
+            $this->SetFillColor(255); $this->SetDrawColor(0);
+
+            $this->SetXY($this->lMargin+1, $tSide+0.6);
+            $this->Bookmark($title,1,$this->S($tSide));
+            $this->SetFont(FONT, '', F_SIZE+7);
+            $this->SetTextColor(255);
+            $this->Write(0, $title);
+            $this->SetTextColor(0);
+            $this->SetXY($this->lMargin+1, $tSide + 7);
+            $tSide += 8; // save old top
+            if ( $height != 0 ) return($this->GetY());
+        }
+        elseif( $tSide < 0 ) return( $this->GetY());
+        if( $height == 0 )  { // interrupted bottum of column reached
+            $height = $this-GetY() - $tSide; $save = $title;
+            $this->PrintTable('', $height); // finish till bottumn page
+            $tSide = $this->originalMargin;
+            $title = $save;
+            return( $this->GetY());
+        }
+        if( $strg != '' ) $title = $strg; // just to be defensive
+
+	// background
+        if ( BW ) {
+            $this->SetFillColor(195);
+            $this->SetDrawColor(195);
+        } else {
+            $this->SetFillColor(173,197,215);
+            $this->SetDrawColor(173,197,215);
+        }
+        $this->Rect($this->lMargin-1,$tSide,1,$height-1+$ext, 'F');
+        if( $ext )
+            $this->Rect($this->lMargin-1,$tSide+$height,$this->colwidth,$ext, 'F');
+        $this->SetFillColor(255);
+        // borders of the table left, bottumn, right
+        $this->Line($this->lMargin,$tSide+$height-1, $this->lMargin, $tSide+$height);
+        $this->Line($this->lMargin,$tSide+$height,$this->lMargin+$this->colwidth,$tSide+$height);
+        $this->Line($this->lMargin+$this->colwidth,$tSide-1, $this->lMargin+$this->colwidth, $tSide+$height);
+        $this->SetDrawColor(0);
+	$this->SetY($tSide + $height + 1); // set Y ordinate to plus 7 
+        $tSide = -1; $title = '';
+	return($this->GetY());
+    }
+
+// assuree information
+    /*private*/ function PrintName( $names = NULL, $assurancemax = -1 ) {
+        //$H = 5; // height of the name cell
+        $name = $names == NULL ? '': $names['name'];
+        $id_type = $names == NULL ? '' : $names['idtype'];
+        // store current margin values
+	static $nr = 0;
+        static $idtypes = NULL; 
+        static $listpoints = NULL;
+        static $ComboProps = array( 'fillColor'=> LBLUE, 'strokeColor'=> LLBLUE, 'editable'=> 'true', 'textSize' => 9, 'rotate'=> '0');
+        static $TextProps = array('strokeColor'=> LLBLUE, 'value' => ' ', 'fillColor'=> LBLUE, 'doNotScrole'=> 'false', 'textSize' => 12, 'rotate'=> '0');
+        static $TextBlankProps = array('strokeColor'=> 'white', 'fillColor'=> 'white', 'readonly' => 'true', 'doNotScrole'=> 'true', /* 'lineWidth'=> '0'*/);
+        $TextProps['textSize'] = 12/6*H;
+
+        $nr++;
+        $savey = $this->GetY();
+
+        $namepoints = intval($names == NULL? -1 : $names['points']);
+        if( $namepoints <= 0 ) $namepoints = $assurancemax;
+        if( $namepoints <= 0 OR $namepoints >= 35 ) $namepoints = 35;
+        if( $listpoints == NULL ) {
+            $listpoints = array( 0=> ' ');
+            for ($i = 0; $i <= $namepoints; $i++)
+	        $listpoints += array( ($i+1) => sprintf("%d",$namepoints-$i) );
+        }
+        $points = sprintf("AssureeNames_%d_Points", $nr);
+
+        // just once to recover from Acrobat 7.0 problem !!!!!!!!!!!!!!!!!!!!!!!!!!
+        // make sure before the first time form field JS is called the fake is done
+        static $AcrobatName = array('strokeColor'=> LLBLUE, 'fillColor'=> LLBLUE, 'readonly' => 'true');
+        if( $AcrobatName != NULL ) {
+            $this->TextField( 'NameNone', $this->SetFieldXY(300, $this->GetY()+2, 0), 0, $AcrobatName);
+            $this->SetFieldXY(); $AcrobatName = NULL;
+        }
+        static $AcrobatCombo = array( 'fillColor'=> LLBLUE, 'strokeColor'=> LLBLUE, 'editable'=> 'false');
+        if( $AcrobatCombo != NULL ) {
+	    $this->ComboBox( 'PointsNone', $this->SetFieldXY(300, $this->GetY()+20, 0), 0, array(' '), $AcrobatCombo);
+            $this->SetFieldXY(); $AcrobatCombo = NULL;
+        }
+        // end of Acrobat defeat !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+        $this->ComboBox( $points, $this->SetFieldXY($this->lMargin+$this->colwidth-15, $this->GetY()+2, 10),(5/6*H), $listpoints, $ComboProps);
+        $this->SetFieldXY();
+        // small line in points collumn
+        $this->myLine($this->lMargin+$this->colwidth-8.5,$savey+H+0.3,$this->lMargin+$this->colwidth-8,$savey+H+0.3);
+        if( $namepoints >= 0 ) {
+           // this seems not to be visible: no points printed...
+	   $this->SetXY( $this->lMargin+$this->colwidth-17.5, $savey+1 );
+           $this->SetFont(FONT, 'B', (F_SIZE+1)/6*H);
+           $this->Cell( 15, sprintf("(%d)", $namepoints), 0, 0, 'C');
+        }
+
+        $TextProps['value'] =  $name ? $name : ' '; $TextProps['textSize'] = 14;
+        $TextProps['userName'] = $this->unhtmlentities( _('Exact full name as on shown ID for this name.') );
+        $this->TextField(sprintf('AssureeNames_%d_Name',$nr), $this->SetFieldXY($this->lMargin+2,$savey+0.9,$this->colwidth-40), 8/6*H, $TextProps);
+	$this->SetFieldXY();
+        $this->SetXY($this->lMargin+2, $savey);
+        if($name) {
+            $token = $name;
+            $fnt = (F_SIZE+4)/6*H;
+            $this->SetFont(FONT, 'B', $fnt);
+            $lngth = $this->GetStringWidth($token);
+            if( $lngth > $this->colwidth-35 ) $fnt *= ($this->colwidth-35) / $lngth;
+            $this->SetFont(FONT, 'B', $fnt);
+            $this->MultiCell($this->colwidth-25, 0, $token, 0, 'L');
+            if( function_exists('utf8_to_ascii') AND
+              !utf8_is_ascii_ctrl( $name) )
+                $ascii = utf8_to_ascii($name);
+            else
+                $ascii = '';
+            $abbr = $this->Abbreviate( $name );
+            if( strcmp($ascii,$name) != 0 OR strcmp($abbr,$name) != 0) {
+                $msg = $this->unhtmlentities( _('The exact name of the assuree may have transliterated characters and/or some given names may be abbreviated. If present the first given name will be shown abbreviated and parentheses around the last part of the given name.\n') );
+                if( $ascii != '' AND strcmp($ascii,$name) != 0 ) $msg .= $this->unhtmlentities( _('transliterated: ') ). $ascii.'\n';
+                if( $abbr  != '' AND strcmp($abbr, $name) != 0 ) $msg .= $this->unhtmlentities( _('abbreviated: ') ). $abbr.'\n';
+                $this->myLink($this->lMargin-7, $savey+1, 3, 3, $msg,
+                array('subtype'=> 'Text', 'Open' => 'false',
+                      'c'=> array(173,197,215), 'name'=> 'Comment',
+                      'f'=> array( 'nozoom', 'readonly', 'norotate'),
+                      't'=> $this->unhtmlentities( _('On the assuree full name') )));
+            }
+	} else {
+            $id_type = '';
+	    // no name, give a line to write on
+            $this->myLine($this->lMargin+2,$savey+H+0.3,$this->lMargin+$this->colwidth-37,$savey+H+0.3); // line under name
+        }
+        $this->SetXY($this->lMargin+2, $savey);
+        if ( !$name ) $idtypes = NULL ;
+        if( $idtypes == NULL ) {
+            $idtypes = array( ); $i = 0;
+            if (!$name) $idtypes = array( $i++ => ' ');
+            if( $id_type ) {
+                $token = $id_type;
+                $token = strtok($token,'/');
+                for( ; $token != ''; $i++) {
+		   $idtypes += array( $i => $token ); $token = strtok('/');
+                }
+            }
+            $idtypes += array( $i => $this->unhtmlentities( _('passport') ), $this->unhtmlentities( _('driver license') ), $this->unhtmlentities( _('ID card') ), $this->unhtmlentities( _('mil. ID') ), $this->unhtmlentities( _('certificate') ), $this->unhtmlentities( _('TTP') ) );
+        }
+        if( !$id_type ) {
+            $this->myLine($this->lMargin+$this->colwidth-37,$savey+H+0.3,$this->lMargin+$this->colwidth -17,$savey+H+0.3);// line under ID
+            $this->myLine($this->lMargin+$this->colwidth-37,$savey+H-0.7,$this->lMargin+$this->colwidth-37,$savey+H+0.1); // l small ID vert
+        } else {
+            $this->SetXY($this->lMargin+20, $savey+1);
+            $this->SetFont(FONT, 'B', (F_SIZE+1)/6*H);
+            $this->Cell($this->colwidth-37, 2, '('.$id_type .')', 0, 0, 'R');
+            // hide id type print on screen with the formfields, just nicety
+            // one could extend the name field, but this has more drawbacks 
+            $this->TextField(sprintf('AssureeNames_%d_None',$nr), $this->SetFieldXY($this->lMargin+$this->colwidth-38,$savey+0.5,20), 7/6*H, $TextBlankProps);
+            $this->SetFieldXY();
+        }
+        $this->ComboBox( sprintf("AssureeNames_%d_TypeID",$nr), $this->SetFieldXY($this->lMargin+$this->colwidth-37, $savey+2, 19), 5/6*H, $idtypes, $ComboProps);
+        $this->SetFieldXY();
+        $this->SetXY($this->lMargin+2, $savey+H);
+        return( $name );
+    }
+
+// All information of Assuree goes in one table
+/*public*/ function InfoAssuree( $assuree = NULL, $assurer = NULL, $assurance = NULL ) {
+        $dob = $assuree['dob'];
+        $email = $assuree['email'];
+        $assurancemax = $assurance['maxpoints'];
+        if( $assurancemax <= 0 ) $assurancemax = 35;
+
+        // Assuree Identity information part
+        $tSide = $this->PrintTable($this->unhtmlentities( _("Applicant's Identity Information") ))+1;
+
+        $msg  = $this->unhtmlentities( _('Some examples of possible standard transliterations in a full individual name. If more than one transliteration of a character is possible, it is denoted within parentheses.') );
+        $msg .=  $this->unhtmlentities( _('a and y umlaut, and o/slash examples of accepted transliterations for the full name(s)') ).':';
+        $msg .= "\n* ". 'J(ae|a)hny G(oe|o)le McName';
+        $msg .= "\n\n".$this->unhtmlentities( _('As an example standard abbreviation on given names is provided here. If a given name is counted as first given name part of the name is denoted with parentheses around the name.') );
+        $msg .= $this->unhtmlentities( _('Examples of accepted abbreviation(s) for full name(s)') ).':';
+        $msg .= "\n* ". 'sir J(ähnÿ) G. McName';
+        $msg .= "\n";
+        // put hint on comparing names on title table
+        $this->myLink($this->lMargin-7, $tSide-7, 5, 5, $msg,
+        array('subtype'=> 'Text', 'Open' => 'true',
+                      'c'=> array(173,197,215), 'name'=> 'Comment',
+                      'f'=> array( 'nozoom', 'readonly', 'norotate'),
+                      't'=> $this->unhtmlentities( _('On comparing names') )));
+
+        // names of applicant
+        $this->SetXY($this->lMargin+1, $tSide);
+        $this->SetFont(FONT, '', F_SIZE+1);
+        $this->Write(0, $this->unhtmlentities( _('Exact full name on the ID') ).':  ');
+        $strg = '('. $this->unhtmlentities( _('type of ID shown') ).')';
+        $this->SetFont(FONT, '', F_SIZE);
+        $this->SetXY($this->lMargin+$this->colwidth-$this->GetStringwidth($strg)-19, $tSide);
+	$this->Write(0, $strg);
+        if( $assurancemax > 0 AND $assurancemax <= 50 ) {
+	    $strg = sprintf($this->unhtmlentities( _('max') ) . " %d", $assurancemax);
+            $this->SetFont(FONT, F_SIZE);
+            $strg = $strg;
+	    $this->SetXY($this->lMargin+$this->colwidth-19, $tSide);
+            $this->Cell(20, 3, $strg, 0, 0, 'C');
+        }
+        $this->SetXY($this->lMargin+2, $tSide+3);
+
+        // all (max) three names with ID type right aligned.
+        $cnt = $assuree['namecnt'];
+        $space = $this->getPageHeight()/$this->scale*100.0 -MINH ; // margin
+        for( $i = 0; $i < $cnt; $i++ )  { // names to be printed 
+            $this->PrintName( $assuree['names'][$i], $assurer['maxpoints'] < 0? 35: $assurer['maxpoints'] );
+            if( $space < $this->getY() ) break;
+        }
+        for( $j=0 ; $j < $i+3; $j++ ) {
+            // empty fields up to max 3 empty fields and allowed space
+            if( $space < $this->getY() ) break;
+            $this->PrintName( NULL, $assurer['maxpoints'] < 0? 35: $assurer['maxpoints']);
+        }
+
+	// email address assuree
+        $savey = $this->GetY()+1;
+        $this->myLine($this->lMargin+$this->colwidth-17,$savey-0.7,$this->lMargin+$this->colwidth,$savey-0.7); // line above DoB
+        $this->myLine($this->lMargin+$this->colwidth-17,$tSide+3,$this->lMargin+$this->colwidth-17,$savey-0.7); // left points column
+        $this->SetXY($this->lMargin+1, $savey);
+        $this->SetFont(FONT, '', F_SIZE);
+        $strg = $this->unhtmlentities( _('Email address') ).':  ';
+        $l = $this->GetStringWidth($strg);
+        $this->Write(0, $strg);
+        if($email) {
+            $this->SetFont(FONT, 'B', F_SIZE+1);
+            if( !BW ) $this->SetTextColor(17,86,140); $this->SetXY($this->GetX(),$this->GetY()-0.35);
+            $ret = $this->Write(0,  $email);
+            $this->myLink($this->lMargin+2,$this->GetY(),$l, F_SIZE/2, 'mailto:'.$email.'?subject=Your CAcert Assurance');
+            $this->Ln();
+            if( !BW ) $this->SetTextColor(0);
+        }
+        // somehow fields are not scaled....
+        $TextProps = array('strokeColor'=> LLBLUE, 'value' => '', 'fillColor'=> LBLUE, 'doNotScrole'=> 'true', /* 'lineWidth'=> '0', */ 'textSize' => '11', 'rotate'=>0, 'userName'=> $this->unhtmlentities( _('email address as e.g. john.family@gmail.com') ) );
+        $TextProps['value'] = $email;
+        $this->TextField('AssureeEmail', $this->SetFieldXY($this->lMargin+2+$l, $savey,$this->colwidth-40-$l), 5, $TextProps);
+	$this->SetFieldXY();
+
+        $this->SetXY($this->lMargin+$this->colwidth-25, $savey);
+        // date of birth assuree
+        $strg =  $this->unhtmlentities( _('Date of Birth') );
+        if( $dob == '' )
+            $strg .= ' ('.$this->unhtmlentities( _("yyyy-mm-dd") ). ')';
+        $this->PrintDate( $this->lMargin+$this->colwidth-3, $savey, $strg, $dob, 'AssureeDoB', 'R');
+        $savey += 4;
+
+        $this->myLine($this->lMargin+$this->colwidth-16.9,$tSide-7.0,$this->lMargin+$this->colwidth-16.9,$tSide-2); // column left
+        $this->SetXY($this->lMargin+$this->colwidth-14.95, $tSide-8.7);
+        $this->SetFont(FONT, '', F_SIZE);
+        $this->SetTextColor(255);
+        $this->MultiCell(14.9,2, $this->unhtmlentities( _("points allocated") ), 0, 0, 'C');
+        $this->SetTextColor(0);
+        $this->SetXY($this->lMargin+1, $savey);
+        $savey += 3; // save some room for DoB
+	$next = $this->PrintTable( '', $savey-$tSide, 5);
+	$this->SetY($next);
+    }
+
+    // print marked paragraph in the table
+    /*private*/ function PrintTicked( $strg = '', $tick = true ) {
+        // store current margin values
+        $savey = $this->GetY();
+
+	$celcnt = 0; $this->SetX($this->lMargin + 1);
+	if( $tick ) {
+            // use ✔ and � of zapfdingbats font for OK tick
+            $savex = $this->GetX();
+	    $this->SetXY($this->GetX(), $savey+0.9);
+            $this->SetFont('zapfdingbats', F_SIZE+3);
+            $this->Write(0,'q'); // �
+            $this->SetXY($savex+0.1, $savey+0.1);
+            if ( BW )
+                $this->SetTextColor(80);
+            else
+                $this->SetTextColor(17, 86, 140);
+                //$this->SetTextColor(0,92,0); // #00BE00 lime
+            $this->Write(0,'4 ');// ✓
+            $this->SetTextColor(0);
+        }
+        $this->SetXY($this->GetX(), $savey);
+        $this->SetFont(FONT,'',F_SIZE+0.5);
+        $celcnt = $this->MultiCell($this->lMargin+$this->colwidth-$this->GetX(), 3, $strg,0,'L');
+	$this->SetXY($this->lMargin+1, $this->GetY()-1.5);
+	return($celcnt);
+    }
+
+// assuree statement
+/*public*/ function StatementAssuree( $date = '' ) {
+        // store current margin values
+	$cellcnt = 0;
+
+        // assuree statement section
+        $tSide = $this->PrintTable($this->unhtmlentities( _("Applicant's Statement") )); // mark table header
+
+        $cellcnt += $this->PrintTicked( $this->unhtmlentities( _("Make sure you have read and agreed with the CAcert Community Agreement") ), false /* no tick */);
+        if( !BW ) $this->SetTextColor(17, 86, 140);
+        $ret = $this->Write($this->lasth, WEB.'/'.POLICY.CCA.EXT, NULL);
+        $this->myLink($this->lMargin+1, $this->GetY()-F_SIZE/2.9, $this->colwidth-2, F_SIZE*2.9/2.9, WEB.'/'.POLICY.CCA.EXT);
+        $this->Ln(4);
+        if( !BW ) $this->SetTextColor(0);
+
+        $cellcnt += $this->PrintTicked( $this->unhtmlentities( _('I hereby confirm that the information stating my Identity Information above is both true and correct, and request the CAcert Assurer (see below) to witness my identity in the CAcert Assurance Programme.') ), true /* tick */);
+        $cellcnt += $this->PrintTicked( $this->unhtmlentities( _('I agree to the CAcert Community Agreement.') ), true /* tick */);
+
+        $this->Ln(0.5);
+        $this->SetFont(FONT, F_SIZE+1); $savey = $this->GetY();
+        $strg = $this->unhtmlentities( _('Date') );
+        if($date == '')
+            $strg .=  ' ('. $this->unhtmlentities( _("yyyy-mm-dd") ) . ')';
+        $strg = $strg;
+        $this->PrintDate( $this->lMargin+1, $savey+1, $strg, $date, 'AssureeDate', 'L');
+
+	$strg = $this->unhtmlentities( _("Applicant's signature") );
+        $this->SetFont(FONT, '', F_SIZE);
+	$l = $this->GetStringWidth( $strg );
+	$this->SetXY($this->lMargin+$this->colwidth-$l-3, $savey+1);
+        $this->Write(0, $strg); $this->Ln(7) ; // and leave some room
+
+        // draw the table borders and header at marked ordinate
+        $next = $this->PrintTable('', $this->GetY()-$tSide);
+
+        $this->SetY($next);
+    }
+
+// assurer statement
+ /*public*/ function StatementAssurer( $assurer = NULL, $assurance = NULL ) {
+        if( $assurer == NULL OR $assurance == NULL ) return;
+
+        // store current margin values
+        $TextProps = array('strokeColor'=> LLBLUE, 'value' => '', 'fillColor'=> LBLUE, 'doNotScrole'=> 'true', 'textSize' => '14', 'rotate'=>0);
+	$cellcnt = 0;
+
+        $tSide = $this->PrintTable($this->unhtmlentities( _("Assurer's Statement") )); // mark table ordinate
+        // put hint on mutaul assurance in pdf file for mouse over
+        $msg = $this->unhtmlentities( _('One is advised for a mutual assurance. If done so the exact full name, email address and date of birth of the Assurer is also required on a form. In this case the Assuree assures the Assurer as well. In this case two copies are needed of the CAP form.') );
+        $this->myLink($this->lMargin-7, $tSide-6, 5, 5, $msg,
+        array('subtype'=> 'Text', 'Open' => 'true',
+                      'c'=> array(173,197,215), 'name'=> 'Comment',
+                      'f'=> array( 'nozoom', 'readonly', 'norotate'),
+                      't'=> $this->unhtmlentities( _('On mutual assurance') )));
+        // assurer identity info
+	// name, meeting date, meeting location,
+        // dob and email address string only is printed when info available
+        $this->SetXY($this->lMargin+1, $tSide);
+        $savey = $this->GetY()+2.5;
+        $this->SetFont(FONT, '', F_SIZE);
+        $strg = $this->unhtmlentities( _("Assurer's Name") ) . ': ';
+        if( $assurer['name'] AND
+          function_exists('utf8_to_ascii') AND
+          !utf8_is_ascii_ctrl( $assurer['name']) )
+            $ascii = utf8_to_ascii($assurer['name']);
+        else
+            $ascii = '';
+        if( $ascii == $assurer['name'] ) $ascii = '';
+        $abbr = $this->Abbreviate( $assurer[ 'name'] );
+        if( $ascii != '' OR $abbr != '') {
+            $msg = $this->unhtmlentities( _('The exact name of the assurer may have transliterated characters and/or some given names may be abbreviated. If present the first given name will be shown abbreviated and parentheses around the last part of the given name.\n') );
+            if( $ascii != '' ) $msg .= '* '. $ascii . "\n";
+            if( $abbr != '' ) $msg .= '* '. $abbr . "\n";
+            $this->myLink($this->lMargin-7, $tSide+2, 3, 3, $msg,
+            array('subtype'=> 'Text', 'Open' => 'false',
+                      'c'=> array(173,197,215), 'name'=> 'Comment',
+                      'f'=> array( 'nozoom', 'readonly', 'norotate'),
+                      't'=> $this->unhtmlentities( _('On the full name of the Assurer') )));
+        }
+        $this->Write(0, $strg);
+        $strg = '';
+        if( $assurer['dob'] ) $strg = $this->unhtmlentities( _('Date of Birth') );
+        // if assurer dob is space we print format date
+        if( $assurer['dob'] == ' ' ) {
+            $strg .= ' ('. $this->unhtmlentities( _("yyyy-mm-dd") ) .')';
+            $assurer['dob'] = '';
+        }
+        $this->PrintDate($this->lMargin+$this->colwidth-3, $savey-2.5, $strg, $assurer['dob'], 'AssurerDoB', 'R');
+        $this->SetXY($this->lMargin+2, $savey);
+        if($assurer[ 'name']) {
+            $strg = $assurer[ 'name'];
+            $this->SetFont(FONT, 'B', F_SIZE);
+            $cellcnt += $this->MultiCell($this->colwidth-22, 3, $strg, 0, 1);
+            $this->SetFont(FONT, '', F_SIZE);
+            if( $assurer['email'] ) {
+                $sx = $this->GetX(); $sy = $this->GetY();
+                $sw = $this->GetStringWidth($strg) + 2;
+                $this->SetXY( $this->lMargin+$sw+4, $sy-4.1);
+                if( !BW ) $this->SetTextColor(17,86,140);
+                $ret = $this->Write(0,  $assurer[ 'email'], 'mailto:'. $assurer[ 'email']); $this->Ln();
+                if( !BW ) $this->SetTextColor(0);
+            }
+        }
+        $TextProps['value'] =  $assurer[ 'name'] ? $assurer[ 'name'] : ' ';
+        $TextProps['textSize'] = 11; $TextProps['userName'] = $this->unhtmlentities( _('Full exact name of Assurer. On mutual assurance provide date of birth as well.') );
+        $this->TextField('AssurerName', $this->SetFieldXY($this->lMargin+2, $savey+1, $this->colwidth-60), 5, $TextProps );
+        $this->SetFieldXY();
+        $TextProps['value'] = $assurer['email'] ? $assurer['email'] : $this->unhtmlentities( _('email') ) . '?';
+        $TextProps['userName'] = $this->unhtmlentities( _('On mutual assurance provide email address of Assurer.') );
+        $this->TextField('AssurerEmail', $this->SetFieldXY($this->lMargin+68.5, $savey+1, 35), 5, $TextProps ); 
+        $this->SetFieldXY();
+        $this->SetXY($this->lMargin+2, $savey+5);
+
+        // assurer statements
+        $cellcnt += $this->PrintTicked( $this->unhtmlentities( _("I, the Assurer, hereby confirm that I have verified the Applicant's Identity Information, I will witness the Applicant's identity in the CAcert Assurance Programme, and allocate Assurance Points.") ), true /* ticked */);
+        $cellcnt += $this->PrintTicked( $this->unhtmlentities( _('I am a CAcert Community Member, have passed the Assurance Challenge, and have been assured with at least 100 Assurance Points.') ), true /* ticked */);
+        $this->Ln(1); $savey = $this->GetY();
+
+        $strg =  $this->unhtmlentities( _('Date') );
+        if( $assurer['date'] == '' ) $strg .= ' (' . $this->unhtmlentities( _("yyyy-mm-dd") ) . ')';
+        $strg = $strg;
+        $this->PrintDate( $this->lMargin+1, $savey, $strg, $assurer['date'], 'AssurerDate', 'L');
+
+        $this->SetXY($this->lMargin+1, $savey);
+        $this->SetFont(FONT, '',F_SIZE);
+        $strg = $this->unhtmlentities( _("Assurer's signature") );
+        $this->SetXY($this->lMargin+$this->colwidth-$this->GetStringWidth($strg)-3, $savey);
+        $this->Write(0, $strg );
+        $savey = $this->GetY()+7; // leave room for date and signature
+        if( $this->GetPageHeight()/$this->scale*100.0-$savey > MARGIN+4)
+           $savey += 2;
+        $this->SetXY($this->lMargin+1, $savey);
+        $l =  $this->GetPageHeight()/$this->scale*100.0-$this->GetY() - MARGIN;
+        if($l > 3 ) $l = 3; if( $l > 0 ) $this->Ln($l); // try to come close to margin
+        $next = $this->PrintTable('', $this->GetY()-$tSide);
+        $this->SetY($next);
+    }
+
+        // location print within caller table
+/*private*/ function PrintLocation( $assurance = NULL ) {
+        if( $assurance == NULL ) return;
+        $savey = $this->GetY();
+        //$this->SetXY($this->GetX(), $savey);
+        $strg = $this->unhtmlentities( _('Date and location of the face-to-face meeting') ). ': ';
+        $this->SetFont(FONT,'I', F_SIZE);
+        $this->Write(0, $strg);
+        $l = $this->GetStringWidth($strg);
+        $strg = $assurance['location'];
+        if( $strg) {
+            if( $assurance['date'] ) $strg = $assurance['date'] . ', '. $strg;
+            $strg = $strg;
+	    $this->SetFont(FONT, 'B', F_SIZE);
+            $this->Write(0,$strg);
+        }
+        $TextProps['textSize'] = 11;
+        $TextProps['value'] =  $assurance['location'] ? $assurance['location'] : ' ';
+        $TextProps['userName'] = $this->unhtmlentities( _('location of the assurance') );
+        $this->TextField('AssuranceLocation', $this->SetFieldXY($this->lMargin+$l+19, $savey,$this->colwidth-$l-21), 5, $TextProps );
+        $this->SetFieldXY();
+        $TextProps['value'] = $assurance['date'] ? $assurance['date'] : ' ';
+        $TextProps['charLimit'] = 10;
+        $TextProps['userName'] = $this->unhtmlentities( _("yyyy-mm-dd") ).' '. $this->unhtmlentities( _('date of assurance') );
+        $this->TextField('AssuranceDate', $this->SetFieldXY($this->lMargin+1+$l, $savey, 17), 5, $TextProps );
+        $this->SetFieldXY();
+        $this->SetXY($this->lMargin,$savey+3);
+    }
+
+// End of CAPPDF TCPDF class extension
+}
+
+
+// --------------------------------------------------------------------------------
+// import environmental data -------------------------------------------------------
+// get $form, $orientation, $assuree, $assurer, $assurance info
+// FONT and BW are set already
+
+// import info 
+function GET( $key = '' ) {
+    return ( array_key_exists( $key, $_GET) ? $_GET[$key] : '');
+}
+
+// form, CCA and page format info
+    $page['format'] = strtolower(GET('format')); // A3, A4, A5, letter, legal, etc.
+    if( !$page['format'] ) $page['format'] = 'a4'; // default
+    // on landscape orientation we do two half pages
+    $page['orientation'] = strtolower(GET('orientation'));
+    if( $page['orientation'] != 'l' AND $page['orientation'] != 'landscape' ) {
+	// default portrait 1-up
+        $page['orientation'] = 'p'; // landscape implies 2-up
+    }
+    $page['form'] = GET('noform') != '' ? false : true;
+    // dft is now true it should go to true
+    $page['policies'] = array();
+    if( GET('nocca') == '' ) {
+        if( defined('CCA') ) $page['policies'][] = CCA;
+    }
+    // set $page['form'] on 'simplex' or 'duplex' to get CCA on pdf page
+
+// Assurer info
+$assurer = array ( 'name'      => my_recode(GET('assurer')) ,
+                   'dob'       => my_recode(GET('assurerdob')),
+                   'email'     => my_recode(GET('assureremail')),
+                   'maxpoints' => intval(my_recode(GET('maxpoints'))) < 0? -1 :
+                                  intval(my_recode(GET('maxpoints'))),
+                   'date'      => my_recode(GET('assurerdate')) ? my_recode(GET('assurerdate')) :
+                                  my_recode(GET('date'))
+                  );
+if( $assurer['name']  != '' AND
+		!utf8_is_ascii_ctrl($assurer['name']) AND
+            !function_exists('utf8_to_ascii'))
+                require_once ( UTF8_ASCII );
+
+// assurance info
+$assurance = array ( 'location' => my_recode(GET('location')),
+                     'date'     => my_recode(GET('assurancedate'))?my_recode(GET('assurancedate')):
+                                   my_recode(GET('date')),
+                     'maxpoints'=> intval(my_recode(GET('maxpoints'))) < 0? -1 :
+                                   intval(my_recode(GET('maxpoints'))),
+                     'notes'    => '' // not yet used
+                  );
+
+// Assuree info
+$assuree = array ( 'names'      => array( ),
+                   'namecnt'    => 0,
+                   'dob'        => my_recode(GET('dob')),
+                   'email'      => my_recode(GET('email')),
+                   'date'       => my_recode(GET('date')) == 'now' ? date('Y-m-d') :
+                                   my_recode(GET('date'))
+                 );
+
+// defeats due to history
+if( $assuree['date'] == '' AND  $assurer['date'] ) $assuree['date'] =  $assurer['date'];
+if( $assurance['date'] == '' AND  $assuree['date'] ) $assurance['date'] =  $assuree['date'];
+if( $assurer['date'] == 'now' ) $assurer['date'] = date('Y-m-d');
+if( $assurance['date'] == 'now' ) $assurance['date'] = date('Y-m-d');
+$document = my_recode(GET('document1'));
+if( GET('document2') ) $document .= '/'. my_recode(GET('document2'));
+// for history sake do special, next can void other arguments...
+if( GET('name') ) $_GET['name1'] = GET('name');
+if( $document ) $_GET['name1ID'] = $document;
+
+function Dstr( $strg = '', $cnt = 1 ) {
+    return( sprintf("name%d%s", $cnt, $strg));
+}
+$j = 0; // after two successive empty names we stop
+for( $i = 1; $i <= 9 AND $j < 2; $i++) { // max 9 names we only print 4 max...
+    $name = my_recode(GET(Dstr('', $i)));
+    if( $name ) { $j = 0;
+        $assuree[ 'namecnt' ]++;
+        $assuree[ 'names' ] [] = array (
+            'name' => $name ? $name : '',
+            'idtype' => my_recode(GET(Dstr('ID',$i)))? my_recode(GET(Dstr('ID',$i))) : '', 
+            'points' => my_recode(GET(Dstr('Pnts',$i))) != '' ? intval(my_recode(GET(Dstr('Pnts',$i)))) : -1
+        );
+        if( $name  != '' AND
+            !utf8_is_ascii_ctrl($name) AND
+            !function_exists('utf8_to_ascii'))
+                require_once ( UTF8_ASCII );
+    } else  $j++;
+}
+
+// try to get policy documents names to be printed off
+$j = 0; // after two successive empty name we stop searching
+for( $i = 1; $i <= 9 AND $j<2; $i++ ) {
+   $name = GET(sprintf("policy%d", $i));
+   if( $name != '' ) { $page['policies'][] = $name; $j = 0; }
+   else $j++;
+}
+
+unset( $document ); unset( $i ); unset( $j); // unset($_GET);
+// end of arguments imports
+
+    header('Expires: '.gmdate("D, j M Y G:i:s \G\M\T", time()+10800));
+    header('Content-Disposition: attachment; filename=CAcert cap.pdf');
+    header('Cache-Control: public, max-age=10800');
+    header('Pragma: cache');
+//  Content-Type and Content Length is done by tcpdf package
+
+// create new PDF document =====================================================
+    $pdf = new CAPPDF(
+       /* PDF_PAGE_ORIENTATION */ $page['orientation'],
+       PDF_UNIT /* mm */,
+       /* PDF_PAGE_FORMAT */ $page['format'],
+       true
+       ); 
+    $pdf->SetFormat( $page['format']  ); // set paper size scaling
+
+// protection is encryption and this will cause 3.5 times performance loss
+//    $pdf->SetProtection(array('print', 'annot-forms'));
+
+// set document property information
+    $pdf->SetCreator('LibreSSL - CAcert web application');
+    $pdf->SetAuthor('© ' . date('Y') . ' CAcert Inc., Australia.');
+    $pdf->SetKeywords('X.509, Assurance Programme, CAP form, Community Agreement, Digital Certificates, CAcert');
+    $pdf->SetTitle('CAcert Assurance Programme');
+    $pdf->SetSubject('CAP form V'.$pdf->Version().', generated ' . date("Y-n-j H:i:s T"));
+    if( GET('watermark') != '') $pdf->Watermark = my_recode(GET('watermark'));
+    // requires zlib and will decrease response time but increase bandwidth
+    // if no zlib is found, automatically no compression is done
+    $pdf->SetCompression(true); // turn it off when more pperformance is needed
+
+// AddSJISFont function is not present in tcpdf package !!!!
+
+//set auto page breaks
+    $pdf->SetAutoPageBreak(TRUE, MARGIN*0.707);
+
+//set image scale factor
+    $pdf->setImageScale(PDF_IMAGE_SCALE_RATIO); 
+
+//set some language-dependent strings
+    $pdf->setLanguageArray($l); 
+
+//initialize document
+    $pdf->AliasNbPages();
+
+// AND GENERATE THE FORM   ===================================
+    // generation properties which have been set from environment:
+    // deflt: BW (color), FONT (free Sans Vera), portrait 1-up, A5, duplex, with CCA
+    // orientation landscape gives 2-up
+    if ( FONT == 'SJIS') $pdf->AddSJISFont();
+    $pdf->PrintForm($assuree, $assurer, $assurance, $page);
+    $pdf->setViewerPreferences($pdf->ViewerPrefs);
+
+//Close and output PDF document
+    $pdf->Output('CAcert CAP.pdf', 'I');
+
+//============================================================+
+// END OF FILE                                                 
+//============================================================+
+?>
diff --git a/cacert/www/cats/.#cats_import.php.1.2 b/cacert/www/cats/.#cats_import.php.1.2
new file mode 100644
index 0000000..ec73b1b
--- /dev/null
+++ b/cacert/www/cats/.#cats_import.php.1.2
@@ -0,0 +1,165 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+// Comment (to be romeved): better to disable shot open tags in php.ini
+
+/*
+   cats_import.php 
+   
+   API for CATS to import passed tests into main CAcert database.
+*/
+
+function sanitize_string($buffer) {
+ return htmlentities(utf8_decode($buffer), (int)ENQ_QUOTES);
+}
+
+define ('UNDEFINED', 'nd');
+define ('ALLOWED_IP', '72.21.48.90');
+define ('CONFIG_FILEPATH', '/www/');
+
+$remote_addr = (isset($_SERVER['REMOTE_ADDR']))?$_SERVER['REMOTE_ADDR']:UNDEFINED;
+$server_name = (isset($_SERVER['SERVER_NAME']))?$_SERVER['SERVER_NAME']:UNDEFINED;
+$https = (isset($_SERVER['HTTPS']))?$_SERVER['HTTPS']:UNDEFINED;
+$ssl_client_s_dn = (isset($_SERVER['SSL_CLIENT_S_DN']))?$_SERVER['SSL_CLIENT_S_DN']:UNDEFINED;
+
+$access = FALSE;
+
+// Access only from CATS.cacert.org with a client certificate for cats@cacert.org
+if (
+ $remote_addr == ALLOWED_IP &&
+ $https == 'on' && 
+ // Comment (to be romeved): better to use preg_match matching the end of the line (since this is on the end of the line right?)
+ // Ted: Is this specified? I don't think so, therefore I'd keep stristr
+ strlen(stristr($ssl_client_s_dn, '/emailAddress=cats@cacert.org')) > 0
+) $access = TRUE;
+
+if ($access !== TRUE) {
+ echo 'UNAUTHORIZED ACCESS<br>'."\r\n";
+ echo 'IP: '.sanitize_string($remote_addr).'<br>'."\r\n";
+ echo 'Server: '.sanitize_string($server_name).'<br>'."\r\n";
+ echo 'HTTPS: '.sanitize_string($https).'<br>'."\r\n";
+ echo 'Client cert: '.sanitize_string($ssl_client_s_dn).'<br>'."\r\n";
+ trigger_error('Unauthorized access: ip('.$remote_addr.') server('.$server_name.') https('.$https.') cert('.$ssl_client_s_dn.')', E_USER_ERROR);
+ exit();
+}
+
+// Comment (to be romeved): do you we session autostart in php.ini??
+// Ted: Sessions are quite meaningless for me since the upload protocol is stateless. Should session_start be called nevertheless?
+session_start();
+
+require_once(CONFIG_FILEPATH.'includes/mysql.php');
+
+// Comment (to be romeved): dunno the difference between stripslashes and stripcslashes
+// manual is iunclear too, please make sure there are no decoding issues
+// Ted: I just used it here because I saw it elsewhere and it seems to work. Would you prefer stripslashes?
+if (get_magic_quotes_gpc()) {
+ $serial = stripcslashes($_POST['serial']);
+ $root = stripcslashes($_POST['root']);
+ $type = stripcslashes($_POST['type']);
+ $variant = stripcslashes($_POST['variant']);
+ $date = stripcslashes($_POST['date']);
+} else {
+ $serial = $_POST['serial'];
+ $root = $_POST['root'];
+ $type = $_POST['type'];
+ $variant = $_POST['variant'];
+ $date = $_POST['date'];
+}
+  
+// Explicitly select all those IDs so I can insert new rows if needed.
+$query = mysql_query('SELECT `id` FROM `cats_type` WHERE `type_text` = \''.mysql_real_escape_string($type).'\';');
+if (!$query) {
+  echo 'Invalid query'."\r\n";
+  trigger_error('Invalid query', E_USER_ERROR);
+  exit();
+}
+
+if (mysql_num_rows($query) > 0) {
+  $result = mysql_fetch_array($query);
+  $typeID = $result['0'];
+} else {
+  $query = mysql_query('INSERT INTO `cats_type` (`type_text`) VALUES (\''.mysql_real_escape_string($type).'\');');
+  if (!$query) {
+    echo 'Invalid query'."\r\n";
+    trigger_error('Invalid query', E_USER_ERROR);
+    exit();
+  }
+
+  $typeID = mysql_insert_id();
+}
+
+$query = mysql_query('SELECT `id` FROM `cats_variant` WHERE `type_id` = \''.(int)intval($typeID).'\' AND `test_text` = \''.mysql_real_escape_string($variant).'\';');
+if (!$query) {
+  echo 'Invalid query'."\r\n";
+  trigger_error('Invalid query', E_USER_ERROR);
+  exit();
+}
+
+if (mysql_num_rows($query) > 0) {
+  $result = mysql_fetch_array($query);
+  $variantID = $result['0'];
+} else {
+  $query = mysql_query('INSERT INTO `cats_variant` (`type_id`, `test_text`) VALUES (\''.(int)intval($typeID).'\', \''.mysql_real_escape_string($variant).'\');');
+  if (!$query) {
+    echo 'Invalid query'."\r\n";
+    trigger_error('Invalid query', E_USER_ERROR);
+    exit();
+  }
+
+  $variantID = mysql_insert_id();
+}
+
+// Now find the userid from cert serial
+$query = mysql_query('SELECT `ec`.`memid` FROM `emailcerts` AS `ec`, `root_certs` AS `rc` WHERE `ec`.`rootcert` = `rc`.`id` AND `ec`.`serial` = \''.mysql_real_escape_string($serial).'\' AND `rc`.`cert_text` = \''.mysql_real_escape_string($root).'\';');
+if (!$query) {
+  echo 'Invalid query'."\r\n";
+  trigger_error('Invalid query', E_USER_ERROR);
+  exit();
+}
+
+if (mysql_num_rows($query) > 0) {
+  $result = mysql_fetch_array($query);
+  $userID = $result['0'];
+} else {
+  echo 'Cannot find cert '.sanitize_string($serial).' / '.sanitize_string($root)."\r\n";
+  // Let's treat this as an error, since it should not happen.
+  trigger_error('Cannot find cert '.$serial.' / '.$root.'!'.mysql_error(), E_USER_ERROR);
+  exit();
+}
+
+// The unique constraint on cats_passed assures that records are not stored multiply
+$query = mysql_query('INSERT INTO `cats_passed` (`user_id`, `variant_id`, `pass_date`) VALUES (\''.(int)intval($userID).'\', \''.(int)intval($variantID).'\', \''.mysql_real_escape_string($date).'\');');
+if (!$query) {
+  if (mysql_errno() != 1062) { // Duplicate Entry is considered success
+    echo 'Invalid query'."\r\n";
+    trigger_error('Invalid query', E_USER_ERROR);
+    exit();
+  }
+}
+
+// Update Assurer-Flag on users table if 100 points. Should the number of points be SUM(points) or SUM(awarded)?
+$query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 1 WHERE `u`.`id` = \''.(int)intval($userID).'\' AND EXISTS(SELECT 1 FROM `cats_passed` AS `tp` WHERE `tp`.`user_id` = `u`.`id`) AND (SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` AND `expire` < now()) >= 100;'); // Challenge has been passed and non-expired points >= 100
+if (!$query) {
+  echo 'Invalid query'."\r\n";
+  trigger_error('Invalid query', E_USER_ERROR);
+  exit();
+}
+
+echo 'OK'."\r\n";    
+
+?>
diff --git a/cacert/www/cats/CVS/Entries b/cacert/www/cats/CVS/Entries
new file mode 100644
index 0000000..f863143
--- /dev/null
+++ b/cacert/www/cats/CVS/Entries
@@ -0,0 +1,2 @@
+/cats_import.php/1.5/Wed Oct 22 11:07:58 2008//
+D
diff --git a/cacert/www/cats/CVS/Repository b/cacert/www/cats/CVS/Repository
new file mode 100644
index 0000000..96342a9
--- /dev/null
+++ b/cacert/www/cats/CVS/Repository
@@ -0,0 +1 @@
+cacert/www/cats
diff --git a/cacert/www/cats/CVS/Root b/cacert/www/cats/CVS/Root
new file mode 100644
index 0000000..a363882
--- /dev/null
+++ b/cacert/www/cats/CVS/Root
@@ -0,0 +1 @@
+/var/lib/cvs
diff --git a/cacert/www/cats/cats_import.php b/cacert/www/cats/cats_import.php
new file mode 100644
index 0000000..6d77a75
--- /dev/null
+++ b/cacert/www/cats/cats_import.php
@@ -0,0 +1,166 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+// Comment (to be romeved): better to disable shot open tags in php.ini
+
+/*
+   cats_import.php 
+   
+   API for CATS to import passed tests into main CAcert database.
+*/
+
+function sanitize_string($buffer) {
+ return htmlentities(utf8_decode($buffer), (int)ENQ_QUOTES);
+}
+
+define ('UNDEFINED', 'nd');
+define ('ALLOWED_IP', '213.154.225.228');
+define ('ALLOWED_IP2', '193.238.157.112');
+define ('CONFIG_FILEPATH', '/www/');
+
+$remote_addr = (isset($_SERVER['REMOTE_ADDR']))?$_SERVER['REMOTE_ADDR']:UNDEFINED;
+$server_name = (isset($_SERVER['SERVER_NAME']))?$_SERVER['SERVER_NAME']:UNDEFINED;
+$https = (isset($_SERVER['HTTPS']))?$_SERVER['HTTPS']:UNDEFINED;
+$ssl_client_s_dn = (isset($_SERVER['SSL_CLIENT_S_DN']))?$_SERVER['SSL_CLIENT_S_DN']:UNDEFINED;
+
+$access = FALSE;
+
+// Access only from CATS.cacert.org with a client certificate for cats@cacert.org
+if (
+ ($remote_addr == ALLOWED_IP || $remote_addr == ALLOWED_IP2)  &&
+ $https == 'on' && 
+ // Comment (to be romeved): better to use preg_match matching the end of the line (since this is on the end of the line right?)
+ // Ted: Is this specified? I don't think so, therefore I'd keep stristr
+ strlen(stristr($ssl_client_s_dn, '/emailAddress=cats@cacert.org')) > 0
+) $access = TRUE;
+
+if ($access !== TRUE) {
+ echo 'UNAUTHORIZED ACCESS<br>'."\r\n";
+ echo 'IP: '.sanitize_string($remote_addr).'<br>'."\r\n";
+ echo 'Server: '.sanitize_string($server_name).'<br>'."\r\n";
+ echo 'HTTPS: '.sanitize_string($https).'<br>'."\r\n";
+ echo 'Client cert: '.sanitize_string($ssl_client_s_dn).'<br>'."\r\n";
+ trigger_error('Unauthorized access: ip('.$remote_addr.') server('.$server_name.') https('.$https.') cert('.$ssl_client_s_dn.')', E_USER_ERROR);
+ exit();
+}
+
+// Comment (to be romeved): do you we session autostart in php.ini??
+// Ted: Sessions are quite meaningless for me since the upload protocol is stateless. Should session_start be called nevertheless?
+session_start();
+
+require_once(CONFIG_FILEPATH.'includes/mysql.php');
+
+// Comment (to be romeved): dunno the difference between stripslashes and stripcslashes
+// manual is iunclear too, please make sure there are no decoding issues
+// Ted: I just used it here because I saw it elsewhere and it seems to work. Would you prefer stripslashes?
+if (get_magic_quotes_gpc()) {
+ $serial = stripcslashes($_POST['serial']);
+ $root = stripcslashes($_POST['root']);
+ $type = stripcslashes($_POST['type']);
+ $variant = stripcslashes($_POST['variant']);
+ $date = stripcslashes($_POST['date']);
+} else {
+ $serial = $_POST['serial'];
+ $root = $_POST['root'];
+ $type = $_POST['type'];
+ $variant = $_POST['variant'];
+ $date = $_POST['date'];
+}
+  
+// Explicitly select all those IDs so I can insert new rows if needed.
+$query = mysql_query('SELECT `id` FROM `cats_type` WHERE `type_text` = \''.mysql_real_escape_string($type).'\';');
+if (!$query) {
+  echo 'Invalid query'."\r\n";
+  trigger_error('Invalid query', E_USER_ERROR);
+  exit();
+}
+
+if (mysql_num_rows($query) > 0) {
+  $result = mysql_fetch_array($query);
+  $typeID = $result['0'];
+} else {
+  $query = mysql_query('INSERT INTO `cats_type` (`type_text`) VALUES (\''.mysql_real_escape_string($type).'\');');
+  if (!$query) {
+    echo 'Invalid query'."\r\n";
+    trigger_error('Invalid query', E_USER_ERROR);
+    exit();
+  }
+
+  $typeID = mysql_insert_id();
+}
+
+$query = mysql_query('SELECT `id` FROM `cats_variant` WHERE `type_id` = \''.(int)intval($typeID).'\' AND `test_text` = \''.mysql_real_escape_string($variant).'\';');
+if (!$query) {
+  echo 'Invalid query'."\r\n";
+  trigger_error('Invalid query', E_USER_ERROR);
+  exit();
+}
+
+if (mysql_num_rows($query) > 0) {
+  $result = mysql_fetch_array($query);
+  $variantID = $result['0'];
+} else {
+  $query = mysql_query('INSERT INTO `cats_variant` (`type_id`, `test_text`) VALUES (\''.(int)intval($typeID).'\', \''.mysql_real_escape_string($variant).'\');');
+  if (!$query) {
+    echo 'Invalid query'."\r\n";
+    trigger_error('Invalid query', E_USER_ERROR);
+    exit();
+  }
+
+  $variantID = mysql_insert_id();
+}
+
+// Now find the userid from cert serial
+$query = mysql_query('SELECT `ec`.`memid` FROM `emailcerts` AS `ec`, `root_certs` AS `rc` WHERE `ec`.`rootcert` = `rc`.`id` AND `ec`.`serial` = \''.mysql_real_escape_string($serial).'\' AND `rc`.`cert_text` = \''.mysql_real_escape_string($root).'\';');
+if (!$query) {
+  echo 'Invalid query'."\r\n";
+  trigger_error('Invalid query', E_USER_ERROR);
+  exit();
+}
+
+if (mysql_num_rows($query) > 0) {
+  $result = mysql_fetch_array($query);
+  $userID = $result['0'];
+} else {
+  echo 'Cannot find cert '.sanitize_string($serial).' / '.sanitize_string($root)."\r\n";
+  // Let's treat this as an error, since it should not happen.
+  trigger_error('Cannot find cert '.$serial.' / '.$root.'!'.mysql_error(), E_USER_ERROR);
+  exit();
+}
+
+// The unique constraint on cats_passed assures that records are not stored multiply
+$query = mysql_query('INSERT INTO `cats_passed` (`user_id`, `variant_id`, `pass_date`) VALUES (\''.(int)intval($userID).'\', \''.(int)intval($variantID).'\', \''.mysql_real_escape_string($date).'\');');
+if (!$query) {
+  if (mysql_errno() != 1062) { // Duplicate Entry is considered success
+    echo 'Invalid query'."\r\n";
+    trigger_error('Invalid query', E_USER_ERROR);
+    exit();
+  }
+}
+
+// Update Assurer-Flag on users table if 100 points. Should the number of points be SUM(points) or SUM(awarded)?
+$query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 1 WHERE `u`.`id` = \''.(int)intval($userID).'\' AND EXISTS(SELECT 1 FROM `cats_passed` AS `tp` WHERE `tp`.`user_id` = `u`.`id`) AND (SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` AND `expire` < now()) >= 100;'); // Challenge has been passed and non-expired points >= 100
+if (!$query) {
+  echo 'Invalid query'."\r\n";
+  trigger_error('Invalid query', E_USER_ERROR);
+  exit();
+}
+
+echo 'OK'."\r\n";    
+
+?>
diff --git a/cacert/www/certs/CVS/Entries b/cacert/www/certs/CVS/Entries
new file mode 100644
index 0000000..c0aaed6
--- /dev/null
+++ b/cacert/www/certs/CVS/Entries
@@ -0,0 +1,8 @@
+/cacert.asc/1.1/Fri May 13 15:41:53 2005//
+/root.crt/1.1/Fri May 13 15:41:53 2005//
+/root.der/1.1/Fri May 13 15:41:53 2005//
+/class3.crt/1.1/Fri Feb 23 21:45:09 2007//
+/class3.der/1.1/Fri Feb 23 21:45:09 2007//
+/class3.txt/1.1/Fri Feb 23 21:50:24 2007//
+/root.txt/1.1/Fri Feb 23 21:50:24 2007//
+D
diff --git a/cacert/www/certs/CVS/Repository b/cacert/www/certs/CVS/Repository
new file mode 100644
index 0000000..323731b
--- /dev/null
+++ b/cacert/www/certs/CVS/Repository
@@ -0,0 +1 @@
+cacert/www/certs
diff --git a/cacert/www/certs/CVS/Root b/cacert/www/certs/CVS/Root
new file mode 100644
index 0000000..a363882
--- /dev/null
+++ b/cacert/www/certs/CVS/Root
@@ -0,0 +1 @@
+/var/lib/cvs
diff --git a/cacert/www/certs/cacert.asc b/cacert/www/certs/cacert.asc
new file mode 100644
index 0000000..120f516
--- /dev/null
+++ b/cacert/www/certs/cacert.asc
@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.2.2 (GNU/Linux)
+
+mQGiBD8OdRwRBACEr0/NPA88qp8f6KyIMMveLQ1FOuLi0aDQDPybG7u1nrBoi3VI
+tSRyfYcdExVxWQjTGd9qbShzXBw2DsxjA6YjiGzWKpVcqtj9uUDpSlylBaoadUzu
+Sf3r3IkOHR2QJeC+9v2il30xy5XLMxDRbQYaSmf4uwTlIOUWNn118KpdawCgoNny
+p4DR9EvRgCmY5z6IKHA2WscD/AhAKDVHCIAoZHzSB/puNOuVUSKRbIWNAqUAYosz
+GRzYWb8O/3Ja4fNb3IMQ1gIsEcnUJFHnzID3pTjqWyiCId/NSX3fLuQxZHZE9n8P
+PqlZIvqMrOfCT0RJQa0zTFcrgepnmnHLj7qmtXQZm+YkTvlihOZNtVA4JNzrxDrQ
+egkqA/4hr0LezNJfkUhWnbW604p7AmmKK7Hi/ZixAfnxN0adgnV7oC3Q4VM8aB2i
+gReSuifluHiaJmf/WsA3KH4bdyLRbagz6dOPkXY8bQKy9yRxQz9oYwudlluYoZXe
+gSQI2Jle9U2ENefa9ouvVlsB0he1qzF6VzHXAXpLsANt5smDh7Q0Q0EgQ2VydCBT
+aWduaW5nIEF1dGhvcml0eSAoUm9vdCBDQSkgPGdwZ0BjYWNlcnQub3JnPohfBBMR
+AgAfBQI/DnUcBQk4ZAkABAsHAwIDFQIDAxYCAQIeAQIXgAAKCRDSuw0BZdD9WEFX
+AJ9C6WBcYfTYw1uvZ+N85TPGG5PMKQCcCM1tyULC5J6pfwevywS6cEwfagW5Ag0E
+Pw51MBAIANUbl1u0j+mnVJk1fKbJ+Ul6SAYpNtordfgrgrmlnOhMCFcROrCzsaaI
+1ehohxMbTnIj0RP0g/KotahAurqB98qzHIxXZMEJSzBE2OCNvlIXqUyT1jwhAUN6
+e71s084Lml84gD4cIr7+2YtwIu+6zrE+YdjfMT1NibM3vmiXaknrk4aADb02ZS5U
+iDeRstUO5PG7qVg4umR0HZJ1Ck2U7Kdjaekzzlm0q/vYMZKTYX37NkZRUU0QFLsM
+tACEaZnwKf9hMAWJwG1OFyJeLVH8xvzCkI4I+fpAvAQj6LVAh41SHl7EivH6SiTp
+/+61idoz/CGqeLBxuex6Z+Y53U54FmcAAwUH/2chzBs1YWFX5LuLGEW3R3UW/wDb
+RnYpsSR+pnMBVh18WS0nF08R/SXtb12RsqN5H+GtELOZng6IWL5hhgNaYvF1F4sW
+Ezm2nyVmTsu7/DtHLmXtzz1oNLQ9pzJkoqP2pGtPYQKvmiuoNbt+l1prwjt5zn1D
+slLn8w0+9/PP1YdKpuZ/189yQP6iYsLHxBxg/50MbSzoFwiT22aJCdF+OJ7zRwDy
+GhjnfV7HVwdEDV5rvb7aRolRmZZF2UADSPu52BWT4PI0nVnewAgivyELqVU3Zc3P
+aWqmH5BAh22MjbsbXrWZXK/WOfZCNlPVdfHxwFGxnlwsHgmyrkPAs3szJGiITAQY
+EQIADAUCPw51MAUJOGQJAAAKCRDSuw0BZdD9WMw8AJwIVUzB2WQJGAbf/aXzCABn
+QWdKwACdEWUSf69RZiJgp4oMfXMx0fDEh2I=
+=OaPO
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/cacert/www/certs/class3.crt b/cacert/www/certs/class3.crt
new file mode 100644
index 0000000..35e2689
--- /dev/null
+++ b/cacert/www/certs/class3.crt
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGCDCCA/CgAwIBAgIBATANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
+IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
+IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
+Y2FjZXJ0Lm9yZzAeFw0wNTEwMTQwNzM2NTVaFw0zMzAzMjgwNzM2NTVaMFQxFDAS
+BgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v
+cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol9
+4fvrcpANdKGWZKufoCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkB
+Y8MPVuJKQs/iRIwlKKjFeQl9RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J
+0b2qW42S0OzekMV/CsLj6+YxWl50PpczWejDAz1gM7/30W9HxM3uYoNSbi4ImqTZ
+FRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq1TuSfkyQBX6TwSyLpI5idBVx
+bgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqKT1inA62+tC4T7V2q
+SNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit89Jbi6Bb
+6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV
+m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5g
+eoAmSAC4AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyG
+kZlxmqZ3izRg0RS0LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX7
+6QIDAQABo4G/MIG8MA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUHAQEEUTBPMCMG
+CCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggrBgEFBQcwAoYc
+aHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBBMD8GCCsGAQQB
+gZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5w
+aHA/aWQ9MTAwDQYJKoZIhvcNAQEEBQADggIBAH8IiKHaGlBJ2on7oQhy84r3HsQ6
+tHlbIDCxRd7CXdNlafHCXVRUPIVfuXtCkcKZ/RtRm6tGpaEQU55tiKxzbiwzpvD0
+nuB1wT6IRanhZkP+VlrRekF490DaSjrxC1uluxYG5sLnk7mFTZdPsR44Q4Dvmw2M
+77inYACHV30eRBzLI++bPJmdr7UpHEV5FpZNJ23xHGzDwlVks7wU4vOkHx4y/CcV
+Bc/dLq4+gmF78CEQGPZE6lM5+dzQmiDgxrvgu1pPxJnIB721vaLbLmINQjRBvP+L
+ivVRIqqIMADisNS8vmW61QNXeZvo3MhN+FDtkaVSKKKs+zZYPumUK5FQhxvWXtaM
+zPcPEAxSTtAWYeXlCmy/F8dyRlecmPVsYGN6b165Ti/Iubm7aoW8mA3t+T6XhDSU
+rgCvoeXnkm5OvfPi2RSLXNLrAWygF6UtEOucekq9ve7O/e0iQKtwOIj1CodqwqsF
+YMlIBdpTwd5Ed2qz8zw87YC8pjhKKSRf/lk7myV6VmMAZLldpGJ9VzZPrYPvH5JT
+oI53V93lYRE9IwCQTDz6o2CTBKOvNfYOao9PSmCnhQVsRqGP9Md246FZV/dxssRu
+FFxtbUFm3xuTsdQAw+7Lzzw9IYCpX2Nl/N3gX6T0K/CFcUHUZyX7GrGXrtaZghNB
+0m6lG5kngOcLqagA
+-----END CERTIFICATE-----
diff --git a/cacert/www/certs/class3.der b/cacert/www/certs/class3.der
new file mode 100644
index 0000000..cffe3c5
--- /dev/null
+++ b/cacert/www/certs/class3.der
diff --git a/cacert/www/certs/class3.txt b/cacert/www/certs/class3.txt
new file mode 100644
index 0000000..0b43b04
--- /dev/null
+++ b/cacert/www/certs/class3.txt
@@ -0,0 +1,126 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
+        Validity
+            Not Before: Oct 14 07:36:55 2005 GMT
+            Not After : Mar 28 07:36:55 2033 GMT
+        Subject: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (4096 bit)
+                Modulus (4096 bit):
+                    00:ab:49:35:11:48:7c:d2:26:7e:53:94:cf:43:a9:
+                    dd:28:d7:42:2a:8b:f3:87:78:19:58:7c:0f:9e:da:
+                    89:7d:e1:fb:eb:72:90:0d:74:a1:96:64:ab:9f:a0:
+                    24:99:73:da:e2:55:76:c7:17:7b:f5:04:ac:46:b8:
+                    c3:be:7f:64:8d:10:6c:24:f3:61:9c:c0:f2:90:fa:
+                    51:e6:f5:69:01:63:c3:0f:56:e2:4a:42:cf:e2:44:
+                    8c:25:28:a8:c5:79:09:7d:46:b9:8a:f3:e9:f3:34:
+                    29:08:45:e4:1c:9f:cb:94:04:1c:81:a8:14:b3:98:
+                    65:c4:43:ec:4e:82:8d:09:d1:bd:aa:5b:8d:92:d0:
+                    ec:de:90:c5:7f:0a:c2:e3:eb:e6:31:5a:5e:74:3e:
+                    97:33:59:e8:c3:03:3d:60:33:bf:f7:d1:6f:47:c4:
+                    cd:ee:62:83:52:6e:2e:08:9a:a4:d9:15:18:91:a6:
+                    85:92:47:b0:ae:48:eb:6d:b7:21:ec:85:1a:68:72:
+                    35:ab:ff:f0:10:5d:c0:f4:94:a7:6a:d5:3b:92:7e:
+                    4c:90:05:7e:93:c1:2c:8b:a4:8e:62:74:15:71:6e:
+                    0b:71:03:ea:af:15:38:9a:d4:d2:05:72:6f:8c:f9:
+                    2b:eb:5a:72:25:f9:39:46:e3:72:1b:3e:04:c3:64:
+                    27:22:10:2a:8a:4f:58:a7:03:ad:be:b4:2e:13:ed:
+                    5d:aa:48:d7:d5:7d:d4:2a:7b:5c:fa:46:04:50:e4:
+                    cc:0e:42:5b:8c:ed:db:f2:cf:fc:96:93:e0:db:11:
+                    36:54:62:34:38:8f:0c:60:9b:3b:97:56:38:ad:f3:
+                    d2:5b:8b:a0:5b:ea:4e:96:b8:7c:d7:d5:a0:86:70:
+                    40:d3:91:29:b7:a2:3c:ad:f5:8c:bb:cf:1a:92:8a:
+                    e4:34:7b:c0:d8:6c:5f:e9:0a:c2:c3:a7:20:9a:5a:
+                    df:2c:5d:52:5c:ba:47:d5:9b:ef:24:28:70:38:20:
+                    2f:d5:7f:29:c0:b2:41:03:68:92:cc:e0:9c:cc:97:
+                    4b:45:ef:3a:10:0a:ab:70:3a:98:95:70:ad:35:b1:
+                    ea:85:2b:a4:1c:80:21:31:a9:ae:60:7a:80:26:48:
+                    00:b8:01:c0:93:63:55:22:91:3c:56:e7:af:db:3a:
+                    25:f3:8f:31:54:ea:26:8b:81:59:f9:a1:d1:53:11:
+                    c5:7b:9d:03:f6:74:11:e0:6d:b1:2c:3f:2c:86:91:
+                    99:71:9a:a6:77:8b:34:60:d1:14:b4:2c:ac:9d:af:
+                    8c:10:d3:9f:c4:6a:f8:6f:13:fc:73:59:f7:66:42:
+                    74:1e:8a:e3:f8:dc:d2:6f:98:9c:cb:47:98:95:40:
+                    05:fb:e9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            Authority Information Access: 
+                OCSP - URI:http://ocsp.CAcert.org/
+                CA Issuers - URI:http://www.CAcert.org/ca.crt
+
+            X509v3 Certificate Policies: 
+                Policy: 1.3.6.1.4.1.18506
+                  CPS: http://www.CAcert.org/index.php?id=10
+
+    Signature Algorithm: md5WithRSAEncryption
+        7f:08:88:a1:da:1a:50:49:da:89:fb:a1:08:72:f3:8a:f7:1e:
+        c4:3a:b4:79:5b:20:30:b1:45:de:c2:5d:d3:65:69:f1:c2:5d:
+        54:54:3c:85:5f:b9:7b:42:91:c2:99:fd:1b:51:9b:ab:46:a5:
+        a1:10:53:9e:6d:88:ac:73:6e:2c:33:a6:f0:f4:9e:e0:75:c1:
+        3e:88:45:a9:e1:66:43:fe:56:5a:d1:7a:41:78:f7:40:da:4a:
+        3a:f1:0b:5b:a5:bb:16:06:e6:c2:e7:93:b9:85:4d:97:4f:b1:
+        1e:38:43:80:ef:9b:0d:8c:ef:b8:a7:60:00:87:57:7d:1e:44:
+        1c:cb:23:ef:9b:3c:99:9d:af:b5:29:1c:45:79:16:96:4d:27:
+        6d:f1:1c:6c:c3:c2:55:64:b3:bc:14:e2:f3:a4:1f:1e:32:fc:
+        27:15:05:cf:dd:2e:ae:3e:82:61:7b:f0:21:10:18:f6:44:ea:
+        53:39:f9:dc:d0:9a:20:e0:c6:bb:e0:bb:5a:4f:c4:99:c8:07:
+        bd:b5:bd:a2:db:2e:62:0d:42:34:41:bc:ff:8b:8a:f5:51:22:
+        aa:88:30:00:e2:b0:d4:bc:be:65:ba:d5:03:57:79:9b:e8:dc:
+        c8:4d:f8:50:ed:91:a5:52:28:a2:ac:fb:36:58:3e:e9:94:2b:
+        91:50:87:1b:d6:5e:d6:8c:cc:f7:0f:10:0c:52:4e:d0:16:61:
+        e5:e5:0a:6c:bf:17:c7:72:46:57:9c:98:f5:6c:60:63:7a:6f:
+        5e:b9:4e:2f:c8:b9:b9:bb:6a:85:bc:98:0d:ed:f9:3e:97:84:
+        34:94:ae:00:af:a1:e5:e7:92:6e:4e:bd:f3:e2:d9:14:8b:5c:
+        d2:eb:01:6c:a0:17:a5:2d:10:eb:9c:7a:4a:bd:bd:ee:ce:fd:
+        ed:22:40:ab:70:38:88:f5:0a:87:6a:c2:ab:05:60:c9:48:05:
+        da:53:c1:de:44:77:6a:b3:f3:3c:3c:ed:80:bc:a6:38:4a:29:
+        24:5f:fe:59:3b:9b:25:7a:56:63:00:64:b9:5d:a4:62:7d:57:
+        36:4f:ad:83:ef:1f:92:53:a0:8e:77:57:dd:e5:61:11:3d:23:
+        00:90:4c:3c:fa:a3:60:93:04:a3:af:35:f6:0e:6a:8f:4f:4a:
+        60:a7:85:05:6c:46:a1:8f:f4:c7:76:e3:a1:59:57:f7:71:b2:
+        c4:6e:14:5c:6d:6d:41:66:df:1b:93:b1:d4:00:c3:ee:cb:cf:
+        3c:3d:21:80:a9:5f:63:65:fc:dd:e0:5f:a4:f4:2b:f0:85:71:
+        41:d4:67:25:fb:1a:b1:97:ae:d6:99:82:13:41:d2:6e:a5:1b:
+        99:27:80:e7:0b:a9:a8:00
+-----BEGIN CERTIFICATE-----
+MIIGCDCCA/CgAwIBAgIBATANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
+IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
+IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
+Y2FjZXJ0Lm9yZzAeFw0wNTEwMTQwNzM2NTVaFw0zMzAzMjgwNzM2NTVaMFQxFDAS
+BgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v
+cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol9
+4fvrcpANdKGWZKufoCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkB
+Y8MPVuJKQs/iRIwlKKjFeQl9RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J
+0b2qW42S0OzekMV/CsLj6+YxWl50PpczWejDAz1gM7/30W9HxM3uYoNSbi4ImqTZ
+FRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq1TuSfkyQBX6TwSyLpI5idBVx
+bgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqKT1inA62+tC4T7V2q
+SNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit89Jbi6Bb
+6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV
+m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5g
+eoAmSAC4AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyG
+kZlxmqZ3izRg0RS0LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX7
+6QIDAQABo4G/MIG8MA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUHAQEEUTBPMCMG
+CCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggrBgEFBQcwAoYc
+aHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBBMD8GCCsGAQQB
+gZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5w
+aHA/aWQ9MTAwDQYJKoZIhvcNAQEEBQADggIBAH8IiKHaGlBJ2on7oQhy84r3HsQ6
+tHlbIDCxRd7CXdNlafHCXVRUPIVfuXtCkcKZ/RtRm6tGpaEQU55tiKxzbiwzpvD0
+nuB1wT6IRanhZkP+VlrRekF490DaSjrxC1uluxYG5sLnk7mFTZdPsR44Q4Dvmw2M
+77inYACHV30eRBzLI++bPJmdr7UpHEV5FpZNJ23xHGzDwlVks7wU4vOkHx4y/CcV
+Bc/dLq4+gmF78CEQGPZE6lM5+dzQmiDgxrvgu1pPxJnIB721vaLbLmINQjRBvP+L
+ivVRIqqIMADisNS8vmW61QNXeZvo3MhN+FDtkaVSKKKs+zZYPumUK5FQhxvWXtaM
+zPcPEAxSTtAWYeXlCmy/F8dyRlecmPVsYGN6b165Ti/Iubm7aoW8mA3t+T6XhDSU
+rgCvoeXnkm5OvfPi2RSLXNLrAWygF6UtEOucekq9ve7O/e0iQKtwOIj1CodqwqsF
+YMlIBdpTwd5Ed2qz8zw87YC8pjhKKSRf/lk7myV6VmMAZLldpGJ9VzZPrYPvH5JT
+oI53V93lYRE9IwCQTDz6o2CTBKOvNfYOao9PSmCnhQVsRqGP9Md246FZV/dxssRu
+FFxtbUFm3xuTsdQAw+7Lzzw9IYCpX2Nl/N3gX6T0K/CFcUHUZyX7GrGXrtaZghNB
+0m6lG5kngOcLqagA
+-----END CERTIFICATE-----
diff --git a/cacert/www/certs/root.crt b/cacert/www/certs/root.crt
new file mode 100644
index 0000000..e7dfc82
--- /dev/null
+++ b/cacert/www/certs/root.crt
@@ -0,0 +1,41 @@
+-----BEGIN CERTIFICATE-----
+MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
+IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
+IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
+Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
+BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
+MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
+ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
+8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
+zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
+fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
+w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
+G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
+epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
+laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
+QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
+fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
+YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w
+ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY
+gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe
+MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0
+IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy
+dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw
+czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0
+dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl
+aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC
+AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg
+b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB
+ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc
+nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg
+18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c
+gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl
+Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY
+sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T
+SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF
+CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum
+GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk
+zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW
+omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD
+-----END CERTIFICATE-----
diff --git a/cacert/www/certs/root.der b/cacert/www/certs/root.der
new file mode 100644
index 0000000..719b0ff
--- /dev/null
+++ b/cacert/www/certs/root.der
diff --git a/cacert/www/certs/root.txt b/cacert/www/certs/root.txt
new file mode 100644
index 0000000..96bb2cd
--- /dev/null
+++ b/cacert/www/certs/root.txt
@@ -0,0 +1,140 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 0 (0x0)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
+        Validity
+            Not Before: Mar 30 12:29:49 2003 GMT
+            Not After : Mar 29 12:29:49 2033 GMT
+        Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (4096 bit)
+                Modulus (4096 bit):
+                    00:ce:22:c0:e2:46:7d:ec:36:28:07:50:96:f2:a0:
+                    33:40:8c:4b:f1:3b:66:3f:31:e5:6b:02:36:db:d6:
+                    7c:f6:f1:88:8f:4e:77:36:05:41:95:f9:09:f0:12:
+                    cf:46:86:73:60:b7:6e:7e:e8:c0:58:64:ae:cd:b0:
+                    ad:45:17:0c:63:fa:67:0a:e8:d6:d2:bf:3e:e7:98:
+                    c4:f0:4c:fa:e0:03:bb:35:5d:6c:21:de:9e:20:d9:
+                    ba:cd:66:32:37:72:fa:f7:08:f5:c7:cd:58:c9:8e:
+                    e7:0e:5e:ea:3e:fe:1c:a1:14:0a:15:6c:86:84:5b:
+                    64:66:2a:7a:a9:4b:53:79:f5:88:a2:7b:ee:2f:0a:
+                    61:2b:8d:b2:7e:4d:56:a5:13:ec:ea:da:92:9e:ac:
+                    44:41:1e:58:60:65:05:66:f8:c0:44:bd:cb:94:f7:
+                    42:7e:0b:f7:65:68:98:51:05:f0:f3:05:91:04:1d:
+                    1b:17:82:ec:c8:57:bb:c3:6b:7a:88:f1:b0:72:cc:
+                    25:5b:20:91:ec:16:02:12:8f:32:e9:17:18:48:d0:
+                    c7:05:2e:02:30:42:b8:25:9c:05:6b:3f:aa:3a:a7:
+                    eb:53:48:f7:e8:d2:b6:07:98:dc:1b:c6:34:7f:7f:
+                    c9:1c:82:7a:05:58:2b:08:5b:f3:38:a2:ab:17:5d:
+                    66:c9:98:d7:9e:10:8b:a2:d2:dd:74:9a:f7:71:0c:
+                    72:60:df:cd:6f:98:33:9d:96:34:76:3e:24:7a:92:
+                    b0:0e:95:1e:6f:e6:a0:45:38:47:aa:d7:41:ed:4a:
+                    b7:12:f6:d7:1b:83:8a:0f:2e:d8:09:b6:59:d7:aa:
+                    04:ff:d2:93:7d:68:2e:dd:8b:4b:ab:58:ba:2f:8d:
+                    ea:95:a7:a0:c3:54:89:a5:fb:db:8b:51:22:9d:b2:
+                    c3:be:11:be:2c:91:86:8b:96:78:ad:20:d3:8a:2f:
+                    1a:3f:c6:d0:51:65:87:21:b1:19:01:65:7f:45:1c:
+                    87:f5:7c:d0:41:4c:4f:29:98:21:fd:33:1f:75:0c:
+                    04:51:fa:19:77:db:d4:14:1c:ee:81:c3:1d:f5:98:
+                    b7:69:06:91:22:dd:00:50:cc:81:31:ac:12:07:7b:
+                    38:da:68:5b:e6:2b:d4:7e:c9:5f:ad:e8:eb:72:4c:
+                    f3:01:e5:4b:20:bf:9a:a6:57:ca:91:00:01:8b:a1:
+                    75:21:37:b5:63:0d:67:3e:46:4f:70:20:67:ce:c5:
+                    d6:59:db:02:e0:f0:d2:cb:cd:ba:62:b7:90:41:e8:
+                    dd:20:e4:29:bc:64:29:42:c8:22:dc:78:9a:ff:43:
+                    ec:98:1b:09:51:4b:5a:5a:c2:71:f1:c4:cb:73:a9:
+                    e5:a1:0b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
+            X509v3 Authority Key Identifier: 
+                keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
+                DirName:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
+                serial:00
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 CRL Distribution Points: 
+                URI:https://www.cacert.org/revoke.crl
+
+            Netscape CA Revocation Url: 
+                https://www.cacert.org/revoke.crl
+            Netscape CA Policy Url: 
+                http://www.cacert.org/index.php?id=10
+            Netscape Comment: 
+                To get your own certificate for FREE head over to http://www.cacert.org
+    Signature Algorithm: md5WithRSAEncryption
+        28:c7:ee:9c:82:02:ba:5c:80:12:ca:35:0a:1d:81:6f:89:6a:
+        99:cc:f2:68:0f:7f:a7:e1:8d:58:95:3e:bd:f2:06:c3:90:5a:
+        ac:b5:60:f6:99:43:01:a3:88:70:9c:9d:62:9d:a4:87:af:67:
+        58:0d:30:36:3b:e6:ad:48:d3:cb:74:02:86:71:3e:e2:2b:03:
+        68:f1:34:62:40:46:3b:53:ea:28:f4:ac:fb:66:95:53:8a:4d:
+        5d:fd:3b:d9:60:d7:ca:79:69:3b:b1:65:92:a6:c6:81:82:5c:
+        9c:cd:eb:4d:01:8a:a5:df:11:55:aa:15:ca:1f:37:c0:82:98:
+        70:61:db:6a:7c:96:a3:8e:2e:54:3e:4f:21:a9:90:ef:dc:82:
+        bf:dc:e8:45:ad:4d:90:73:08:3c:94:65:b0:04:99:76:7f:e2:
+        bc:c2:6a:15:aa:97:04:37:24:d8:1e:94:4e:6d:0e:51:be:d6:
+        c4:8f:ca:96:6d:f7:43:df:e8:30:65:27:3b:7b:bb:43:43:63:
+        c4:43:f7:b2:ec:68:cc:e1:19:8e:22:fb:98:e1:7b:5a:3e:01:
+        37:3b:8b:08:b0:a2:f3:95:4e:1a:cb:9b:cd:9a:b1:db:b2:70:
+        f0:2d:4a:db:d8:b0:e3:6f:45:48:33:12:ff:fe:3c:32:2a:54:
+        f7:c4:f7:8a:f0:88:23:c2:47:fe:64:7a:71:c0:d1:1e:a6:63:
+        b0:07:7e:a4:2f:d3:01:8f:dc:9f:2b:b6:c6:08:a9:0f:93:48:
+        25:fc:12:fd:9f:42:dc:f3:c4:3e:f6:57:b0:d7:dd:69:d1:06:
+        77:34:0a:4b:d2:ca:a0:ff:1c:c6:8c:c9:16:be:c4:cc:32:37:
+        68:73:5f:08:fb:51:f7:49:53:36:05:0a:95:02:4c:f2:79:1a:
+        10:f6:d8:3a:75:9c:f3:1d:f1:a2:0d:70:67:86:1b:b3:16:f5:
+        2f:e5:a4:eb:79:86:f9:3d:0b:c2:73:0b:a5:99:ac:6f:fc:67:
+        b8:e5:2f:0b:a6:18:24:8d:7b:d1:48:35:29:18:40:ac:93:60:
+        e1:96:86:50:b4:7a:59:d8:8f:21:0b:9f:cf:82:91:c6:3b:bf:
+        6b:dc:07:91:b9:97:56:23:aa:b6:6c:94:c6:48:06:3c:e4:ce:
+        4e:aa:e4:f6:2f:09:dc:53:6f:2e:fc:74:eb:3a:63:99:c2:a6:
+        ac:89:bc:a7:b2:44:a0:0d:8a:10:e3:6c:f2:24:cb:fa:9b:9f:
+        70:47:2e:de:14:8b:d4:b2:20:09:96:a2:64:f1:24:1c:dc:a1:
+        35:9c:15:b2:d4:bc:55:2e:7d:06:f5:9c:0e:55:f4:5a:d6:93:
+        da:76:ad:25:73:4c:c5:43
+-----BEGIN CERTIFICATE-----
+MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
+IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
+IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
+Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
+BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
+MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
+ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
+8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
+zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
+fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
+w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
+G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
+epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
+laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
+QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
+fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
+YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w
+ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY
+gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe
+MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0
+IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy
+dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw
+czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0
+dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl
+aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC
+AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg
+b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB
+ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc
+nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg
+18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c
+gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl
+Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY
+sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T
+SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF
+CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum
+GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk
+zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW
+omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD
+-----END CERTIFICATE-----
diff --git a/cacert/www/coap.html.php b/cacert/www/coap.html.php
new file mode 100644
index 0000000..901420e
--- /dev/null
+++ b/cacert/www/coap.html.php
@@ -0,0 +1,350 @@
+<?php /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+        Version: $Id: coap.html.php,v 1.1 2009-03-02 23:09:05 root Exp $
+*/
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+
+<head>
+<meta content="text/html; charset=ISO-8859-1" http-equiv="content-type">
+<?php
+    	echo '<title>'._("Organisation Information (COAP) form").'</title>', "\n";
+?>
+</head>
+
+<body>
+
+<style type="text/css"> 
+table#TAB1 {border-color: rgb(173,197,215); border-top: solid 5px rgb(173,197,215); border-left: solid 5px rgb(173,197,215);}
+table#TAB1 td { border: 0 }
+</style>
+
+<p>
+<div style="text-align: right;"><img align="absbottum" style="width: 30%; float: none;" alt="CAcert logo" src="http://www.cacert.org/logos/CAcert-logo-colour-1000.png" vspace="3" /></div>
+</div>
+</p>
+<p>
+<div style="text-align: right;">
+<?php
+	echo '<big><big><span style="font-weight: bold;">'._("CAcert Organisation Assurance Programme").'</span></big></big><br>', "\n";
+?>
+</div>
+<div style="text-align: right;">
+<?php
+	echo '<big><big><span style="font-weight: bold;">'._("Organisation Information (COAP) form").'</span></big></big><br>', "\n";
+?>
+</div>
+<div style="text-align: right;">CAcert Inc. - P.O. Box 4107 - Denistone East NSW 2112 - Australia - <a href="http://www.cacert.org/">http://www.cacert.org</a><br></div>
+<br>
+<table style="border-bottom: solid; border-color: rgb(17, 86, 140)"  cellspacing="0" cellpadding="0" width="100%">
+<tbody>
+<tr>
+<?php
+	echo '    <td border=0 align="left"><font size=-7>'._("CAcert's Root Certificate sha1 fingerprints").'</font></td>', "\n";
+?>
+    <td border=0 align="right"><font size=-7>class 1: 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33</font></td>
+</tr>
+<tr>
+    <td border=0></td>
+    <td border=0 align="right"><font size=-7>class 3: DB4C 4269 073F E9C2 A37D 890A 5C1B 18C4 184E 2A2D</font></td>
+<tr>
+</font>
+</td>
+</tr>
+</tbody>
+</table>
+<p>
+<?php
+	echo _("The CAcert Organisation Programme (COAP) aims to verify the identity of the organisation."), "<br>\n";
+	echo _("The Applicant asks the Organisation Assurer to verify to CAcert Community that the information provided by the Applicant is correct, and according to the official trade office registration bodies."), "<br>\n";
+	echo _("For more information about the CAcert Organisation Assurance Programme, including detailed guides to CAcert Organisation Assurers, please visit:"), ' ';
+	echo ' <a href="http://www.cacert.org/">http://www.cacert.org</a><br>';
+	echo _("A CAcert Arbitrator can require the Organisation Assurer to deliver the completed forms and accompanying documents in the event of a dispute."), "<br>\n";
+	echo _("For the CAcert Individual Assurance Programme there is a separate special CAP form.");
+?>
+
+<form target="_blank" enctype="application/x-www-form-urlencoded" method="get" action="https://www.cacert.org/coapnew.php" name="COAP form">
+
+<br>
+<table border="1" id="TAB1" cellpadding="2" cellspacing="0" width="100%" rules="groups">
+<thead>
+<tr style="background-color: rgb(17, 86, 140); color: white;">
+<?php
+	echo '    <th colspan="4" align="left"><big><big>'._("Organisation Identity Information").'</big></big></th>', "\n";
+?>
+</tr>
+</thead>
+<tbody>
+<tr>
+<?php
+	echo '    <td nowrap>'. _("Name of the organisation").'</td>', "\n";
+        echo '    <td colspan="3"><input size=\"60\" maxlength=\"80\" name=\"name\"></td>', "\n";
+	echo '</tr>', "\n";
+	echo '<tr>', "\n";
+	echo '    <td nowrap>'. _("Address").' ('. _("comma separated"). ')';
+        echo '    <td colspan="3"><input size=\"60\" maxlength=\"80\" name=\"address\"></td>', "\n";
+	echo '</tr>', "\n";
+?>
+</tbody>
+<tbody>
+<tr>
+<?php
+	echo '    <td>'. _("Jurisdiction info"). '</td>', "\n";
+	echo '    <td align="left"><i>'. _("type"). '</td></i>', "\n";
+	echo '    <td align="left"><i>'. _("state"). '</td></i>', "\n";
+	echo '    <td align="right"><i>'. _("country code"). '</td></i>', "\n";
+	echo '</tr>', "\n";
+	echo '<tr>', "\n";
+	echo '    <td></td>', "\n";
+        echo '    <td align="left"><input size=\"25\" maxlength=\"80\" name=\"type\"></td>', "\n";
+        echo '    <td align="left"><input size=\"25\" maxlength=\"80\" name=\"state\"></td>', "\n";
+        echo '    <td align="right"><input size=\"3\" maxlength=\"80\" name=\"country\"></td>', "\n";
+?>
+</tr>
+</tbody>
+<tbody>
+<?php
+	for ( $i = 0; $i < 2; $i++ ) {
+	    echo '<tr>', "\n", '    <td>';
+	    if ( $i < 1 ) { echo _("Registered Trade Names");} 
+	    echo '</td>', "\n";
+	    for ( $j = 1; $j <= 3; $j++ ) {
+		printf("    <td align=\"%s\"><input size=\"25\" maxlength=\"80\" name=\"dba%d\"></td>\n", $j > 2 ? "right" : ($j > 2 ? "center" : "left") , $i * 3 + $j);
+	    }
+            echo '</tr>', "\n";
+	}
+?>
+</tbody>
+<tbody>
+<tr>
+<?php
+	echo '    <td>'. _("Trade Office info"). '</td>', "\n";
+	echo '    <td align="left"><i>'. _("reg. number"). '</td></i>', "\n";
+	echo '    <td align="left"><i>'. _("trade office"). '</td></i>', "\n";
+	echo '    <td align="right"><i>'. _("region"). '</td></i>', "\n";
+	echo '</tr>', "\n";
+	echo '<tr>', "\n";
+	echo '    <td></td>', "\n";
+        echo '    <td align="left"><input size=\"25\" maxlength=\"80\" name=\"identity\"></td>', "\n";
+        echo '    <td align="left"><input size=\"25\" maxlength=\"80\" name=\"tor\"></td>', "\n";
+        echo '    <td align="right"><input size=\"25\" maxlength=\"80\" name=\"torregion\"></td>', "\n";
+?>
+</tr>
+</tbody>
+<tbody>
+<?php
+        for ( $i = 0; $i < 2; $i++ ) {
+            echo '<tr>', "\n", '    <td>';
+            if ( $i < 1 ) { echo _("Internet Domain(s)");}
+            echo '</td>', "\n";
+            for ( $j = 1; $j <= 3; $j++ ) {
+                printf("    <td align=\"%s\"><input size=\"25\" maxlength=\"80\" name=\"domain%d\"></td>\n",  $j > 2 ? "right" : ($j > 2 ? "center" : "left"), $i * 3 + $j);
+            }
+            echo '</tr>', "\n";
+        }
+?>
+</tbody>
+<tbody>
+<?php
+	for ( $i = 1; $i <=2; $i++ ) {
+	    echo '<tr>', "\n", '    <td>';
+	    if( $i < 2 ) { echo _("Organisation Administrator(s)"); }
+	    echo '</td>', "\n";
+	    printf("    <td colspan=\"3\"<input size=\"65\" maxlength=\"80\" name=\"admin%d\"></td>\n</tr>\n",$i);
+	    echo "<tr>\n    <td></td><td colspan=\"2\" align=\"left\"><i>". _("email") . "</i> ";
+	    printf("<input size=\"45\" maxlength=\"80\" name=\"admin%demail\"></td>\n", $i);
+	    echo "    <td align=\"right\"><i>". _("phone") . "</i> ";
+	    printf("<input size=\"15\" maxlength=\"80\" name=\"admin%dphone\"></td>\n</tr>\n", $i);
+	}
+?>
+</tbody>
+</table>
+
+<table border="1" id="TAB1" cellpadding="2" cellspacing="0" width="100%" rules="groups">
+<tr style="background-color: rgb(17, 86, 140); color: white;">
+    <th colspan="3" align="left"><big><big>
+<?php
+	echo _("Organisation's Statement");
+?>
+</big></big></th>
+</thead>
+<tbody>
+<tr>
+    <td colspan="2"><i>
+<?php
+	echo _("Make sure you have read and agreed with the CAcert Community Agreement");
+?>
+ (<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">CCA</a>)</i><br></td>
+</tr>
+<tr><td colspan=2><p></td></tr>
+<tr>
+<?php
+	echo '    <td colspan="2"><i>'. _("director") . '</i>', "\n";
+	echo '&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input maxlength="80" size="65" name="director"></td>', "\n";
+	echo '</tr><tr>', "\n";
+	echo '    <td><i>'. _("email");
+	echo ' <small><small>(optional)</small></small>';
+	echo '</i>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input maxlength="80" size="40" name="email"></td>', "\n";
+	echo '    <td align="right"><i>'. _("phone");
+	echo ' <small><small>(optional)</small></small>';
+	echo '</i> <input maxlength="80" size="15" name="phone"></td>', "\n";
+?>
+</tr>
+<tr>
+    <td colspan="2"><input type="checkbox" checked name="checked" value="1">
+<?php
+	echo ' '. _("I agree to the CAcert Community Agreement.").' (';
+?>
+<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">CCA</a>)</dd></td>
+</tr>
+<tr>
+    <td colspan="2"><input type="checkbox" checked name="checked" value="2">
+<?php
+	echo _("I hereby confirm that all information is complete and accurate and will notify CAcert of any updates or changes thereof."). "</td>\n</tr>\n";
+	echo "<tr>\n", '    <td colspan="2"><input type="checkbox" checked name="checked" value="3">';
+	echo _("I am duly authorised to act on behalf of the organisation, I grant operational certificate administrative privileges to the specified Organisation Administrator and, I request the Organisation Assurer to verify the organisation information according to the Assurance Policies."). "</td>\n";
+?>
+<tr><td colspan="2"></td></tr>
+<tr>
+<?php
+	echo '    <td>'. _("Date"). ' <small><small>(<i>'. _("yyyy-mm-dd"). '</i>)</small></small>';
+	echo '<br><input maxlength="10" size="11" name="date"></td>', "\n";
+	echo '    <td align="right">'. _("Signature") .'<br> ('._("and organisation stamp") . ")</td>\n";
+	echo "</tr><tr>\n";
+?>
+</tr>
+<tr><td colspan="2"><p></td></tr>
+</tbody>
+</table>
+<br>
+
+<table border="1" id="TAB1" cellpadding="2" cellspacing="0" width="100%" rules="groups">
+<thead>
+<tr style="background-color: rgb(17, 86, 140); color: white;">
+<?php
+	echo '    <th colspan="2" align="left"><big><big>'._("Organisation Assurer's Statement").'</big></big></td>', "\n";
+?>
+</tr>
+</thead>
+<tbody>
+<tr><td colspan="2"><p></td></tr>
+<tr>
+<?php
+	echo '    <td colspan="2"><i>'. _("organisation assurer") . '</i> ', "\n";
+	echo '<input maxlength="80" size="60" name="assurer"></td>', "\n";
+	echo '</tr><tr>', "\n";
+	echo '    <td><i>'. _("email");
+	echo ' <small><small>(optional)</small></small>';
+	echo '</i>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input maxlength="80" size="40" name="assureremail"></td>', "\n";
+	echo '    <td align="right"><i>'. _("phone");
+	echo ' <small><small>(optional)</small></small>';
+	echo '</i> <input maxlength="80" size="15" name="assurerphone"></td>', "\n";
+?>
+</tr>
+<tr>
+    <td colspan="2"><input type="checkbox" checked name="checked" value="3">
+<?php
+	echo _("I, the Assurer, hereby confirm that I have verified the official Information for the organisation, I will witness the organisation's identity in the CAcert Organisation Assurance Programme, and complete the Assurance.") . "</td>\n";
+?>
+</tr>
+<tr>
+    <td colspan="2"><input type="checkbox" checked name="checked" value="4">
+<?php
+	echo _("I am a CAcert Community Member, have passed the Organisation Assurance Challenge, and have been appointed for Organisation Assurances within the country where the organisation is registered."). "</td>\n";
+?>
+</tr>
+<tr><td colspan=2><p></td></tr>
+<tr>
+<?php
+	echo '    <td>'._("Date").' <small><small>(<i>'._("yyyy-mm-dd").'</i>)</small></small>';
+?>
+<br><input maxlength="10" size="11" name="assurerdate"></td>
+<?php
+	echo '    <td align="right" valign="top">'._("Signature").'</td>', "\n";
+?>
+</tr>
+<tr><td colspan="2"></td><tr>
+</tbody>
+</table>
+<div style="text-align: right;"><small><small><span>&copy; 
+<?php
+	echo date('Y').' CAcert Inc., V2, '.date('Y-n-j');
+?>
+</small></small></span></div>
+<br>
+<p>
+
+<table border="0" cellpadding="2" cellspacing="0" width="100%" rules="groups">
+<thead>
+<tr style="background-color: rgb(112, 154, 186); color: white;">
+    <th colspan="2" align="left"><big><big>
+<?php
+	echo _("How To Print this CAP form");
+?>
+</big></big></td>
+</tr>
+</thead>
+</table>
+<p>
+<?php
+	echo _("A printer ready file with the form and attachments can be generated as follows:");
+?>
+<dl>
+    <dd><input type="radio" name="orientation" value="landscape">
+<?php
+	echo ' '._("2-up");
+	echo '        <input type="radio" checked="checked" name="orientation" value="portrait"> '._("portrait").' '._("1-up").')';
+?>
+</dd>
+    <dd><input type="radio" checked="checked" name="format" value="A4"> A4
+        <input type="radio" name="format" value="A5"> A5
+<?php
+	echo '        <input type="radio" name="format" value="letter"> Letter '._("paper format");
+	echo "</dd>\n";
+	echo '    <p><dd><input type="radio" name="nocca" value="false"> '._("no");
+	echo '        <input type="radio" checked="checked" name="nocca" value="true"> '._("yes, the CCA is attached to the form."), "</dd>\n";
+	$policies = array(
+	    'Organisation Assurance Policy' =>
+	        'http://svn.cacert.org/CAcert/Policies/OrganisationAssurancePolicy/OrganisationAssurancePolicy.html',
+	    'Organisation Assurance Subpolicy for Australia' =>
+	        'http://svn.cacert.org/CAcert/Policies/OrganisationAssurancePolicy/OrganisationAssuranceSubPolicyAustralia.html',
+	    'Organisation Assurance Subpolicy for Europe' =>
+	        'http://svn.cacert.org/CAcert/Policies/OrganisationAssurancePolicy/OrganisationAssuranceSubPolicyEurope.html',
+	    'Organisation Assurance Subpolicy for the United States' =>
+	        'http://svn.cacert.org/CAcert/Policies/OrganisationAssurancePolicy/OrganizationAssuranceSubPolicyUnitedStates.html',
+	); 
+	$cnt = 0;
+	while( list($key, $ref) = each($policies) ) {
+	    $cnt++;
+	    if( $cnt < 2 ) {
+		echo '<p><dd>'. _("Applicable Organisation Policy documents and information can be attached to the pdf output file. Mark those documents, which need to be attached") . ":<br>\n";
+	    }
+	    printf("<dd><input type=\"checkbox\" name=\"policy%d\" value=\"%s\"> <a href=\"%s\">%s</a></dd>\n", $cnt, $ref, $ref, $key);
+        }
+	if( $cnt > 0 ) {
+	    echo "</dd>\n";
+	} 
+	echo "</dl>\n";
+	echo _("Submit the form").': <button type="submit" style="background-color: rgb(112, 154, 186); color: white;"> '._("generate PDF file");
+	echo "</button>\n";
+?>
+</p>
+</form>
+
+</body>
+</html>
diff --git a/cacert/www/coapnew.php b/cacert/www/coapnew.php
new file mode 100644
index 0000000..301d5c2
--- /dev/null
+++ b/cacert/www/coapnew.php
@@ -0,0 +1,1594 @@
+<?php
+/*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+//   $Id: coapnew.php,v 1.2 2009-03-02 23:09:05 root Exp $
+define('REV', '$Revision: 1.2 $');
+
+/*
+**  Created from old cap.php 2003, which used the now obsoleted ftpdf package
+**  First created: 12 July 2008
+**  Last change: see Revision date
+**  Reviews:
+**     printed text by Ian Grigg and Teus Hagen (July 2008)
+**     layout/design by Teus Hagen and Johan Vromans (July 2008)
+**     coding by Teus Hagen and ...
+**
+**  Installation:
+**     std PHP lib:
+**         recode_string(), zcompress() (PHP-ZLIB) only used if present
+**         zcompress (pdf compression) gives performance loss, disable it?
+**     PDF generation package (tcpdf/tcpdf.php):
+**         TCPDF package + define the TCPDF_DIR install directory (GPL)
+**         tcpdf package is patched for text subtypes see tcpdf diff file.
+**         Add free embedding zapfdingbat font
+**         ttf2pt1 -F zapfdinbats.ttf -> zapfdingbats.utf metrics file
+**         php -q makefont.php zapfsdingbats.ttf zapfdingbats.utf -> .php,.ctg.z,.z
+**         install files: zapfdingbats.{php,z,ctg.z} in tcpdf/fonts dir
+**     UTF8 package for unicode (utf8/native/core.php):
+**         utf8_substr() only when package is found and needs to be used
+**     transliteration (and abbreviation):
+**         if full name has non-ascii char(s) try to use: utf8_to_ascii()
+**         First from transtab.php package which is Markus Kuhn compliant
+**           transtab.php is CAcert php package.
+**           Transtab depends on on its turn on UTF8 package.
+**         Secondly if not found utf8ascii lib tried (artistic license)
+**           http://sourceforge.net/projects/phputf8
+**           .../utf8_to_ascii-0.3.tar.gz
+**           see UTF8_ASCII definition for location requirements
+**         Thirdly: if not found transliteration feature is disabled.
+**
+**  policy documents for pdf inclusion:
+**            define CCA file (default policy)
+**  LOGO: CAcert logo logos directory is LOGO
+**
+**  Functionality:
+**    Test: use environment variable settings as parameters for
+**     Organisation: name, dba's, director, sign date, trade license ID
+**           address, country/state jurisdiction, domain(s)
+**           o-admins: name, email, phone
+**     Registry: name, region
+**     Assurer: name, email, sign date
+**
+**     Form fields: javascript form fields with fields for printout and change
+**     Printout: printed, and completed for final signatures
+**     On transliteration and abbreviation of a name:
+**        if shoes a std way show accepted conversion as pdf comment
+**     Orientation: on landscape (dflt) print 2-up
+**     PDF URL links are used to web, wiki, and faq for more info search 
+**     Only on non-ascii chars in a name the utf8 routines are loaded
+**     PDF reader has wiki info url's and easy email feedback
+**  ENABLED:
+**     included is the CCA generates 2 extra pages (needs work to limit vert spacing)
+**
+**  For other re-use of some routines:
+**     abbreviate() abbreviate a name on std way
+**     transliterate() provide name in translated format in std way
+**
+**  For tests:
+**      environment settings (FORM, FORMAT, CCA, ...) define used test data
+**      In test modus variable path_url from tcpdf package unset warnings
+**      Set for operation modus TEST on false (or comment code out)
+**
+**  Future:
+**      digitally sign form and process it via network
+**
+**  unicode and UTF-8 support:
+**  php4/5 recode() is alias of recode_string() of PHP library
+**         If not provided: should check every string is transcoded?
+**         recode(), recode_string(0 is said to have too many (japanese) defeats
+**         recode_string() is only used on GET[] input (html->utf-8),
+**  UTF-8  use routines from http://www.sourceforge.net/projects/phputf8
+**         which replaces php recode() package. 
+**         on many places own utf-8 handling code exists and is loaded (tcpdf problem)
+**  _() translation routine. The returned HTML string is translated to utf-8 string.
+**  the GET() routines expects utf-8 code (see test defs) but might be changed
+**         to use html entity conversion routine of PHP (5.2 has a problem...).
+**
+**  PDF compression zlib: (now disabled)
+**      if PHP lib zcompress() is present, generated PDF is compressed
+**
+**  FONTS future use ? http://www.slovo.info/unifonts.htm? (not used now)
+**         or Bitstream Cyberbit http://www.orwell.ru/download/cyberbit.zip
+**         Latter font is no longer for free download
+**         For now: FreeVeraSans is used now and embedded (std in TCPDF package)
+**     Zapf Dingbats font: some Open Source readers have bad font handling or
+**         no zapfdingbat font. So one is embedded
+**         To be generated with tooling in util directory.
+**
+**  TO DO, to CHECK and KNOWN PROBLEMS:
+**     _() translation routine returns recoded and checks UTF-8 chars?
+**     Japanse package (maybe not needed with TCPDF?)
+**     CCA informal should be on one page (no CCA printed yet)
+**     form field checks, print button (Java script)
+**     data structs in Java script and globalize property settings
+**     XML
+**     timestamping, signatures and certificate usage
+**     list of recipients, encrypt the document and send it off
+**     On Acrobat 7.0: first form field call error (have work around)
+**     eps problem with logo (no eps logo yet)
+**     multi selection of ID types in form fields (value editable now)
+**     ugly capital char use in intro to bold or italic lowercase
+**     tables over page boundaries do not fully work yet
+**
+**  DEPENDENCIES:
+**  This PDF GENERATION package relies on the PHP PDF generation
+**  package of TCPDF source force project:
+**     http://sourceforge.net/projects/tcpdf/ V 4.0.007 18th July 2008
+**     The tcpdf software supports encryption, signatures, and form fields
+**     TCPDF is using URF-8 code (good!)
+**  The TRANSLITERATE code tables db (utf8ascii) is not compliant (!?) with
+**     Markus Kuhn <http://www.cl.cam.ac.uk/~mgk25/> -- 2001-09-02
+**     First is tried to use Markus his tables
+**     For a test file with all chars see there (it is also in tcpdf package).
+**  Both transliteration packages rely on UTF-8 code, only loaded when available and
+**     when really needed.
+**  PDF generation:  The alternative is the one from the std PHP library.
+**
+**  SECURITY:
+**  PHP libs: packages seems to download files on the fly into local filesystem!!!
+**
+**  All sizes (in mm) is related to A5 base, so other page formats are scaled.
+**
+**  Parameters (API):
+**     $_GET['date'] date of assurance and signature applicant organisation
+**     $_GET['name'] full name assuree default empty for upward compatibility
+**     $_GET['dba<1-9>'] etc. %d = 1-9 trade names
+**     $_GET['address'] postal address department, office, street, zip, city
+**     $_GET['state'] jurisdiction
+**     $_GET['country'] jurisdiction address
+**     $_GET['type'] type of organisation: e.g. foundation, partnership, Lmtd
+**     $_GET['domain<0..n>'] domain names of organisation
+**     $_GET['director'] can sign for the organisation
+**     $_GET['email'] email address for organisation contact
+**     $_GET['phone'] organisation phone number for contact
+**     $_GET['admin'] o-admin name
+**     $_GET['adminemail'] o-admin emailo address
+**     $_GET['adminphone'] o-admin phone number
+**     $_GET['admin<1-9>'] o-admin name
+**     $_GET['admin<1-9>email'] o-admin emailo address
+**     $_GET['admin<1-9>phone'] o-admin phone number
+**     $_GET['identity'] trade office license Identification number
+**     $_GET['tor'] trade office name
+//**     $_GET['tordate'] trade office extract date (depreciated)
+**     $_GET['torregion'] trade office region (depreciated)
+**     $_GET['assurer'] full name assurer default empty
+**     $_GET['assureremail'] email address assurer default empty (new)
+**     $_GET['assurerdate'] date of signature assurer (new)
+**     $_GET['assurerphone'] contact phone number of assurer (new)
+//**     $_GET['assurancedate'] date of assurance (new) (depreciated)
+//**     $_GET['location'] location of assurance (depreciated)
+**     $_GET['nocca'] do not print CCA on back side (dflt: false)
+**     $_GET['policy<%d>'] to include policy document(s) in pdf file %d = 1-9 (new)
+**     $_GET['noform'] do not print form (dflt: true) (new)
+**     $_GET['format'] paper format required A0-A6,Letter, Folio, B0-B6 (dflt A4)
+**     $_GET['watermark'] watermark on the page
+**     $_GET['orientation'] paper orientation default "landscape" default 2-up (new)
+**     $_SESSION['_config']['language'] for "ja_JP" japanese default != ja_JP
+**     $_SESSION['_config']['recode'] = "format" recode() uses it: needed ?
+**     recode() is aliased to php lib function recode_string()
+**     $_REQUEST[bw] if exists use black/white, default use colour
+**
+**  Output, package generates:
+**     PDF display screen is scaled to 100% A4 size
+**     PDF property fields have CAcert info
+**     on non empty _GET strings, the package generates prefilled form fields.
+**     PDF form field variables (Java Script):
+**     Applicant
+**        Organisation.Names[0]	        organisation name
+**        Organisation.Address		street address, zip, city
+**        Organisation.Type		comma separated values (csv)
+**                                               type of organisation
+**                                               state
+**                                               country
+**        Organisation.DBA              registered trade names (csv)
+**        Organisation.Domains		organisation domain names (csv)
+**        Organisation.Director.Name	name of director with signing power
+**        Organisation.Director.Email	corporate email address
+**        Organisation.Director.Phone	corporate phone number
+**        Organisation.Date		date of signature director
+**        Organisation.Admin[].Name    0..9	name of org. admnin
+**        Organisation.Admin[].Email   0..9	o-admin email address
+**        Organisation.Admin[].Phone   0..9	o-admin phone number
+**     Trade Office Registry
+**        tor.info	comma separated values (csv):
+**                      unique trade office Identification number
+**                      name trade office registry
+**                      region trade office (depreciated)
+**                      date of trade office Extract (depreciated)
+**     Assurer
+**        Assurer.Name		full name of assurer
+**        Assurer.Email         email address assurer
+**        Assurer.Date		date signature assurer
+//**     Assurance info (depreciated)
+//**        assurance.location string may have date of meeting (depreciated)
+//**        assurance.date   date of assurance (depreciated)
+**     Form Revision string is generated from RCS revision string.
+**     More info on PDF fields:
+**        http://www.adobe.com/devnet/acrobat/pdfs/js_developer_guide.pdf
+**     
+*/
+
+// use next define if you test this code
+define( 'TEST', true );
+
+// INSTALLATION DIRS OF PACKAGES ==============================
+// make sure packages are installed here
+define('RT','./');
+define('TCPDF_DIR','/usr/share/tcpdf_php4');
+define('UTF8',RT."/utf8/native/core.php");
+if( file_exists(RT.'/transtab.php') ) // wherever it is
+    define('UTF8_ASCII', RT.'/transtab.php');
+else
+    define('UTF8_ASCII', RT.'/utf8_to_ascii/utf8_to_ascii.php'); // optional
+// end operational special code defs
+
+if( defined( 'TEST' ) ) {
+// ONLY FOR TEST PURPOSES =====================================
+    /* test data */
+
+    $_SESSION['_config']['recode'] = "html..utf-8"; // ????
+    if( isset($_SERVER['LANG']) )
+        $_SESSION['_config']['language'] = $_SERVER['LANG'];
+
+    if( array_key_exists('FORMAT',$_SERVER) AND $_SERVER['FORMAT'] )
+        $_GET['format'] = $_SERVER['FORMAT'];
+    else {
+        //$_GET['format'] = "A5"; // margin scale problem... does not work
+        //$_GET['format'] = "Legal"; // ok
+        //$_GET['format'] = "Folio"; // ok
+        //$_GET['format'] = "Letter"; // letter little margin problem
+        //$_GET['format'] = "A4"; // A4, default ok
+    }
+    if( array_key_exists('ORIENTATION',$_SERVER) AND $_SERVER['ORIENTATION'] )
+        $_GET['orientation'] = $_SERVER['ORIENTATION'];
+    else {
+        //$_GET['orientation'] = "portrait"; // default 2 pages, or portrait
+    }
+    $_GET['nocca'] = isset($_SERVER['CCA']) ? $_SERVER['CCA'] : "";
+    if( isset($_SERVER['FORM']) AND $_SERVER['FORM'] == "noform" )
+        $_GET['noform'] = "true";
+
+    if( array_key_exists('FORM',$_SERVER) AND $_SERVER['FORM'] != 'empty' ){
+        // organisation info part
+        $_GET['name'] = "Stichting Oophaga foundation";
+        $_GET['address'] = "De Burgerstraat 25, office 268, 1098 SJ, Amsterdam-Buitenveldert";
+        $_GET['state'] = "";
+        $_GET['country'] = "Netherlands";
+        $_GET['type'] = "foundation";
+        $_GET['dba1'] = "Oophaga"; // trade names
+        //$_GET['DBA2..9'] = "St. Oophaga";
+        // applicant signer for organisation
+        $_GET['director'] = "Gerard H. M. Sühmple"; // upwards competable
+        //$_GET['email'] = "director@oophaga.org";
+        $_GET['phone'] = "+31 773270066";
+        $_GET['date'] = "2008-08-18"; // upwards compatible
+        // trade office information
+        $_GET['identifier'] = "NL-238603-AA02";
+        $_GET['tor'] = "Kamer van Koophandel";
+        $_GET['torregion'] = "Amsterdam"; 
+        //$_GET['tordate'] = "2008-04-03";
+        // contact name(s)
+        $_GET['domain1'] = "oophaga.org, oophaga.nl";
+        $_GET['domain2'] = "oophaga.net";
+        $_GET['domain4'] = "oophaga.eu";
+        $_GET['admin'] = "Görge H. M. Sämple"; // upwards competable
+        $_GET['adminemail'] = "tesu.hagaen@thesu.xs4all.eu";
+        $_GET['adminphone'] = "+31 77 327996";
+        //$_GET['admin2..9XX'] = ""; // name, email, phone
+        // assurer info
+        $_GET['assurer'] = "My O. Assurer-Name";
+        $_GET['assurerdate'] = "now";
+        $_GET['assureremail'] = "Assurer@cacert.org";
+        $_GET['assurerphone'] = "+31737201060";
+        // assurance info
+        //$_GET['assurancedate'] = "2008-12-21"; depreciated
+        //$_GET['location'] = "Amsterdam, Holland"; depreciated
+        //$_GET['notes'] = "bla bla"; depreciated
+        // handy
+        $_GET['watermark'] = "just an EXAMPLE";
+    } else {
+        //$_GET['ALL'] = "empty";
+    }
+
+    //$_REQUEST['bw'] = true;
+
+} // end of TEST code ===========================================================
+
+/* Directory settings for installation */
+// change next for directory settings for packages !!!!!!!!!!!!!!!!!!!!!!
+// set to correct internal path to TCPDF pakage installation
+// Make sure pdf generation package is not connecting internet for
+// whatever reason and downloading files into this host!!!!
+// UCPDF as well PHP PDF std package have unsecure code as well....
+require_once(TCPDF_DIR . '/config/lang/eng.php');
+require_once(TCPDF_DIR . '/tcpdf.php');
+
+// CAcert logo path/file name is extended with eg color, mono and format type
+define( 'LOGO','logos/CAcert-logo-');
+// eps should give better quality, LOGO_TYPE ->  .eps
+// eps does not work with CAcert logo, set to .eps when ok
+define( 'LOGO_DPI', '1000');
+define( 'LOGO_TYPE','-'.LOGO_DPI.'.png');
+// logo colors RGB hex
+define('BLUE', '#11568C');  // RGB 17 86 140
+define('LBLUE', '#ADC5D7'); // RGB 112 154 186
+define('LLBLUE','#D6E2EB'); // lighhter blue RGB 173 197 215
+define('LIME', '#C7FF00');  // RGB 199 255 0
+define('GREEN', '#00BE00'); // 0 190 0
+
+define('POBOX','CAcert Inc. - P.O. Box 4107 - Denistone East NSW 2112 - Australia');
+define('WEB', 'http://www.cacert.org');
+define('WIKI','http://wiki.cacert.org/wiki');
+define('ROOTKEYS','http://www.cacert.org/index.php?id=3');
+define('ASSCOAP', WIKI.'/FAQ/AssuranceByCAP');
+define('ASSHBK', WIKI.'/OrganisationAssuranceManual');
+define('ASSINFO', WIKI.'/OrganisationEntities');
+define('ASSINTRO', WIKI.'/FAQ/AssuranceIntroduction');
+define('ASSORG', WIKI."/OrganisationAssurance");
+define('ARBIT', WIKI."/ArbitrationForum");
+// CAcert Community Agreement
+define('CCA', "CAcertCommunityAgreement"); // default policy to print
+define('POLICY','policy/'); // default polciy doc directory
+define('EXT','.php'); // default polciy doc extention, should be html
+/* finger print CAcert Root Key */ // should obtain this automatically
+define("CLASS1_SHA1","135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33");
+define("CLASS3_SHA1","DB4C 4269 073F E9C2 A37D 890A 5C1B 18C4 184E 2A2D");
+// next two are not used on the form
+define("CLASS1_MD5","A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B");
+define("CLASS3_MD5","73:3F:35:54:1D:44:C9:E9:5A:4A:EF:51:AD:03:06:B6");
+// if on draft provide std message
+define('WATERMARK',"");
+
+// other definitions for the form
+define("MAX_COLS", 2); // max coulumns per page Landscape is printed with 2-up
+// put next to 200 and it will disable printout
+define("MINH", 107.5); // in A5 mm is current estimated left over space on one page
+define("H", 5); // height of a name entry field
+//set margins
+define("MARGIN",11.296); // 2-up will be scaled
+// base of font size
+define( 'F_SIZE', 7 );
+
+define('DFL_FORMAT', 'html..utf-8');
+
+// enviroment dependent constants
+// Japanese is not supported?
+if( array_key_exists('_config', $_SESSION) ) {
+    if( isset($_SESSION['_config']['language']) ) {
+        if($_SESSION['_config']['language'] == "ja_JP")
+            define('FONT','SJIS');
+        else define( 'FONT', 'freesans');
+    }
+    else define( 'FONT', 'freesans');
+}
+else
+    //define( 'FONT', 'dejavusans');
+    define( 'FONT', 'freesans');
+
+// generate black/white?
+if(array_key_exists('bw',$_REQUEST))
+    define('BW', true);
+else
+    define('BW', false);
+
+// function is left in tact, but to new tcpdf code UFT-8 is fully supported now.
+function my_recode($strg = NULL )
+{
+    static $format = NULL;
+    if( $strg == NULL OR !$strg ) return ( "" );
+    if( $format == NULL ) {
+         if( array_key_exists('_config', $_SESSION) ) {
+             if( isset( $_SESSION['_config']['recode'])  )
+                 $format = $_SESSION['_config']['recode'];
+             else $format = DFL_FORMAT;
+         }
+         else $format = DFL_FORMAT;
+    }
+    // newer tcpdf package is full UTF-8 Voided by this package?
+    if( function_exists("recode_string" ) )
+        return ( recode_string($format, $strg) );
+    else return( $strg );
+}
+
+// return TRUE if string is ascii and not device control chars specialized for
+// personal names (no device controls)
+function utf8_is_ascii_ctrl($str) {
+    if ( strlen($str) > 0 ) {
+        // Search for any bytes which are outside the ASCII range,
+        // or are device control codes
+        //return (preg_match('/[^\x09\x0A\x0D\x20-\x7E]/',$str) !== 1); deleted \r and \n
+        return (preg_match('/[^\x09\x20-\x7E]/',$str) !== 1);
+    }
+    return FALSE;
+}
+
+
+// extend TCPF with custom functions
+class COAPPDF extends TCPDF {
+
+    // do cap form version numbering automatically "$Revision: 1.2 $"
+    /*public*/ function Version() {
+	strtok(REV, " ");
+        return(strtok(" "));
+    }
+    
+    /*public*/ function myHeader( $msg = NULL, $url = NULL )
+    {
+       static $my_url = NULL;
+       if( $msg != NULL ) {
+           $this->my_header_msg = $msg; $my_url = $url; return;
+       }
+       if( $this->my_header_msg == NULL ) return;
+       if( $this->msg_page_nr > 0 ) {
+           $font_fam = $this->FontFamily;
+           $font_style = $this->FontStyle.($this->underline ? 'U' : '').($this->linethrough ? 'D' : '');
+           $font_size = $this->getFontSize();
+           $this->SetFont(FONT,'', F_SIZE-1);
+           $this->setXY($this->lMargin, MARGIN-3);
+           $this->Cell($this->colwidth, 3,$this->my_header_msg, 0, 0, 'R');
+           if( !empty($font_fam ) )
+               $this->SetFont($font_fam,$font_style,$font_size);
+           if( $my_url != NULL AND $my_url != "" )
+               $this->myLink($this->lMargin+$this->colwidth/2,$this->lMargin-4,$this->colwidth,(F_SIZE+5)/2.9,$my_url);
+       }
+       $this->setXY($this->lMargin, MARGIN+3);
+       $this->y0 = $this->getY();
+     }
+ 
+     // undefine default header and footer handling
+     // default routines do not handle columns
+     function Footer() { }
+     function Header() { }
+     function Mark( $string = "" ) {
+         return array( $string, 1+substr_count($string,'.') );
+     }
+ 
+     /*public*/ function myFooter( $msg = NULL, $url = NULL )
+     {
+       static $my_url = NULL;
+       if( $msg != NULL ) {
+           $this->my_footer_msg = $msg; $this->msg_page_nr = 0;
+           $my_url = $url; return;
+       }
+       if( $this->my_footer_msg == NULL ) return;
+       $this->InFooter = true;
+       $this->msg_page_nr++;
+       $font_fam = $this->FontFamily;
+       $font_style = $this->FontStyle.($this->underline ? 'U' : '').($this->linethrough ? 'D' : '');
+       $font_size = $this->getFontSize();
+       $this->SetFont(FONT,'', F_SIZE-1);
+       if( $this->msg_page_nr > 1 ) {
+           $this->SetXY($this->lMargin, $this->GetPageHeight()/$this->scale*100.0-6);
+           $this->Cell($this->colwidth, 3,
+                     sprintf("%s %d", $this->unhtmlentities( _('page') ), $this->msg_page_nr),
+                             0, 0, 'C');
+       }
+       if( $this->my_footer_msg != "" ) {
+           $strg =  "© ". date("Y"). " CAcert Inc.".", ". $this->my_footer_msg;
+           $this->SetXY($this->lMargin+MARGIN/2, $this->GetPageHeight()/$this->scale*100.0-6);
+           $this->Cell($this->colwidth, 3, $strg, 0, 0, 'R');
+           if( $my_url != NULL AND $my_url != "" )
+               $this->myLink($this->lMargin+MARGIN/2,$this->GetPageHeight()/$this->scale*100.0-6,$this->colwidth,(F_SIZE+5)/2.9,$my_url);
+       }
+       if( $this->Watermark != "" ) {
+           $this->StartTransform();
+           $savex = $this->GetX(); $savey = $this->GetY();
+           $this->SetFont(FONT,'', F_SIZE*7);
+           $l = $this->GetStringWidth($this->Watermark);
+           $h = $this->GetPageHeight()/$this->scale*100.0/2;
+           $w = $this->colwidth/2+MARGIN;
+           $this->SetXY(0,0);
+           $this->TranslateY($h+(F_SIZE*7)/2.9);
+           $this->TranslateX($w-MARGIN+$this->lMargin);
+           $this->Rotate(rad2deg(atan($h/$w)));
+           $this->Text(-$l/2,0,$this->Watermark, 0.8);
+           $this->StopTransform();
+           $this->SetXY($savex,$savey);
+        }
+ 
+        if( !empty($font_fam ) )
+            $this->SetFont($font_fam,$font_style,$font_size);
+        $this->InFooter = false;
+    }
+
+    // user and print preferences
+    // NumCopies, PrintPageRange, DisplayDocTitle, HideMenuBar, HideToolBar, ...
+    /*public*/ var $ViewerPrefs = array(
+        'Duplex' => 'Simplex',
+        'NumCopies'=> '1',
+        'DisplayDocTitle' => 'CAcert Organisation Assurance Programme (COAP) form',
+        'HideToolBar' => true,
+	'FitWindow' => true,
+    );
+
+    //number of colums
+    /*protected*/ var $ncols=1;
+    
+    // columns width
+    /*protected*/ var $colwidth=0;
+
+    // space between columns
+    /*protected*/ var $column_space = 0;
+    
+    //Current column
+    /*protected*/ var $col=0;
+    
+    //Ordinate of column start
+    /*protected*/ var $y0;
+
+    // scaling factor
+    /*protected*/ var $scale = 100.0;
+
+    // print header and footer
+    /*protected*/ var $my_footer_msg = NULL;
+    /*protected*/ var $my_header_msg = NULL;
+    /*protected*/ var $msg_page_nr = 0;
+
+    // print short watermark on the page
+    /*public*/ var $Watermark = WATERMARK;
+
+    /*public*/ function SetFormat( $format = "A4" ) {
+        switch( strtolower($format) ) {
+        // there is some scale problems with margins...
+        case "a1":
+        case "b1":
+		$this->scale *= 1.4142;
+        case "a2":
+        case "b2":
+		$this->scale *= 1.4142;
+        case "a3":
+        case "b3":
+		$this->scale *= 1.4142; break;
+        case "a5":
+        case "b5":
+		$this->scale /= 1.4142; break;
+        case "letter":
+                $this->scale *= 0.97; break;
+        default: $format = "A4";
+        case "a4":
+        case "b4":
+        case "folio":
+        case "legal":
+            break;
+        }
+        $this->SetDisplayMode(intval($this->scale), 'SinglePage', 'UseOC');
+        return( $format );
+    }
+        
+    //Set position at a given column
+    /*private*/ function SetCol($col = -1) {
+        static $pagecolwidth = 1.0;
+        static $column_space = 1.0;
+
+        if( $col == -1 ) $col = $this->col+1;
+        if( $this->colwidth == 0 ) {
+            // only once at start; set default values
+            //set margins
+            $this->addPage(); $col = 0; // reset to zero
+            $this->SetMargins(MARGIN, MARGIN, MARGIN);
+            if( $this->CurOrientation != 'L' ) {
+                $this->scale *= 1.4142;
+                $this->ScaleXY($this->scale,0,0);
+            } else {
+                $this->scale *= 1.0;
+                $this->ScaleXY($this->scale,0,0);
+            }
+            $this->ncols = $this->CurOrientation == 'L'? MAX_COLS : 1;
+            $this->colwidth = $this->w / $this->scale * 100 / $this->ncols - MARGIN*2;
+            $pagecolwidth = $this->w/$this->ncols;
+            // space between columns
+            if ($this->ncols > 1) {
+                $column_space = round((float)($this->w - ($this->ncols * $pagecolwidth)) / ($this->ncols - 1));
+            } else {
+                $column_space = 0;
+            }
+            $this->y0 = $this->GetY();
+        }
+        else {
+	    if( $col == $this->col ) { // reset on close of this column
+	        $x = MARGIN + $this->col*($pagecolwidth+$column_space);
+                $this->SetLeftMargin($x);
+                //$this->SetRightMargin($this->w - $x - $this->colwidth);
+            }
+            $this->PrintTable("", -1); // if pending table close up table
+	    $this->myFooter(); // print footer msg if defined
+        }
+        if( $col >= $this->ncols ) {
+                $this->addPage(); $col = 0; 
+                $this->ScaleXY($this->scale,0,0);
+                $this->y0 = 0;  //no header/footer done...
+        } elseif ( $col > 0  AND $col < $this->ncols) {
+                // print column separator
+                $x = $this->w/$this->ncols*($this->col+1);
+                $y = $this->tMargin;
+                $this->SetLineWidth(0.1); $this->SetDrawColor(195);
+                $this->SetLineStyle(array('dash'=>'1,8') ); // gray dotted
+                $this->Line( $x, $y+27, $x, $y+185);
+                $this->SetLineWidth(0.2); $this->SetDrawColor(0);
+                $this->SetLineStyle(array('dash'=>'0') );
+        }
+        $this->col = $col;
+        // X position of the current column
+        $x = MARGIN + $col*($pagecolwidth+$column_space);
+        $this->SetLeftMargin($x);
+        $this->SetRightMargin($this->w - $x - $this->colwidth);
+        $this->SetXY($x, $this->y0);
+	$this->myHeader(); //print header msg if defined
+        $this->PrintTable("", 0); // if in table reprint title table
+    }
+
+    //Method accepting or not automatic page break
+    /*public*/ function AcceptPageBreak() {
+       $this->SetCol();
+       return false;
+    }
+
+    // redefine this routine from tcpdf.php due to scaling bug
+    /*protected*/ function checkPageBreak($h) {
+       if (((($this->y + $h)*$this->scale/100.0) > $this->PageBreakTrigger) ) {
+           if ( !$this->InFooter ) {
+               if ( ($this->AcceptPageBreak())) {
+                   $rs = "";
+                   //Automatic page break
+                   $x = $this->x;
+                   $ws = $this->ws;
+                   if ($ws > 0) {
+                       $this->ws = 0;
+                       $rs .= '0 Tw';
+                   }
+                   $this->AddPage($this->CurOrientation);
+                   if ($ws > 0) {
+                       $this->ws = $ws;
+                       $rs .= sprintf('%.3f Tw', $ws * $k);
+                   }
+                   $this->_out($rs);
+                   $this->y = $this->tMargin;
+                   $this->x = $x;
+               }
+            }
+        }
+    }
+
+    /*private*/ function S( $value = 1.0 ) {
+        return( $value * $this->scale / 100.0 );
+    }
+
+    // put Link in user space
+    /*private*/ function myLink( $x, $y, $w, $h, $Lnk = NULL, $Type = array('SubType'=>'Link') ) {
+        if( $Lnk == NULL ) return;
+        if( $Lnk == "" ) $Lnk = WEB."/";
+        $this->Annotation( $this->S($x), $this->S($y), $this->S($w), $this->S($h), $Lnk, $Type);
+        //$this->Annotation( $x, $y, $w, $h, $Lnk, $Type);
+    }
+
+
+    //require_once("../utf8/native/core.php");
+    // only for to upper case //require_once("../utf8/utils/unicode.php");
+
+    //setlocale(LC_ALL, 'de_DE');
+    // try to abbreviate a full name, returns name if abbreviation was/is done
+    // has pointers to sur name, first name, avoids titles and extentions
+    // is based that given names and family names starts with capital
+    // all names between first given name and surname are secondary names
+    // will use utf8 routines only when needed and available
+    /*private*/ function Abbreviate( $name = "") {
+        // need to change this for utf8 uppercase detection
+        // substr and strtoupper arte dependent of setlocale...
+        $substr = 'substr';
+        $strtoupper = 'strtoupper';
+        $tokens = array();
+        $cnt = preg_match_all('/([^\s\.]+\.|[^\s\.]+)/', $name, $tokens, PREG_SET_ORDER);
+        if( $cnt <= 0 ) return ( $name );
+        $fam = -1; $married = 0;  $i = 0; $success = FALSE; $first_name = -1;
+        for( $j = 0; $j < $cnt ; $j++ ) {
+            $tk = $tokens[$j];
+            $nm = $tk[0]; if( $nm == "" ) continue;
+            // not utf8
+            $ltr = $substr( $nm, 0, 1 );
+            if(preg_match('/[^\x09\x20-\x7E]/',$ltr) !== 1  AND // it is utf8
+              function_exists( 'utf8_substr') ) {
+                $substr='utf8_substr';
+                //$strtoupper = 'utf8_strtoupper'; // requires utf8/utils/unicode.php
+            }
+            if( $strtoupper($ltr) != $ltr ) continue; // lower case setlocale dependent
+            elseif( preg_match('/\./', $nm ) ) {
+                if( $first_name < 0 ) $first_name = $j;
+                if( $first_name >= 0 ) $success = TRUE; // was abbreviated
+                continue; // title 
+            }
+            if( $first_name < 0 ) $first_name = $j;
+            if( $married == 0 ) $fam = $j;
+            if( preg_match('/[-_]/', $nm ) ) {
+                // find special markers
+                if( $married == 0 ) $fam = $j;
+                $married++;
+            }
+        }
+        $name = "";
+        for( $j = 0; $j < $cnt; $j++ ){
+            $tk = $tokens[$j];
+            if( !isset($tk[0]) ) continue;
+            $nm = $tk[0]; if( $nm == "" ) continue;
+            if( $name != "") $name .= " ";
+            $ltr = $substr( $nm, 0, 1 );
+            if( $j == $fam ) $name .= $nm;
+            elseif( $strtoupper($ltr) != $ltr )  $name .= $nm; // lower case
+            elseif( preg_match('/\./', $nm ) ) $name .= $nm;
+            elseif( $j < $fam ) { // need to abbreviate
+                 // not utf8
+                 // and abbreviate 
+                if( $j == $first_name )
+                    $abr = "(". $substr( $nm, 1 ) . ")";
+                else $abr = ".";
+                $name .= $ltr . $abr; $success = TRUE; // is abbreviated
+            } else $name .= $nm;
+        }
+        $ext = -1; for( $j = $cnt-1; $j >= 0 AND $j >= $fam; $j-- ) {
+            // try to find family names and see if there is abbreviation
+            $tk = $tokens[$j];
+            if( !isset($tk[0]) ) continue;
+            $nm = $tk[0];
+            if( $ext < 0 AND preg_match('/(^[^A-Z]|\.)/', $nm ) ) continue;
+            if( $ext < 0 ) $ext = $j+1;
+            if( preg_match('/\./', $nm ) ) {  $success = TRUE; break; } 
+        }
+        return( $success? $name : "" ); // and return abbriviated name
+    }
+
+    // set formfield coordinates
+    // this routine is needed due to field ordinates are not scaled and in user space
+    // to be called before form field call (or as width parameter)
+    // and just after with true argument to restore X Y ordinates.
+    /*private*/ function SetFieldXY( $x=NULL, $y=NULL, $w=0) {
+        static $savex;
+        static $savey;
+        static $restored = true;
+        $restoreXY =  $x == NULL ? true : false;
+
+	if( $restored == $restoreXY )
+            $this->Error("internal Form Field save/restore error\n");
+        if( !$restoreXY ) {
+	    /* save X Y ordinates */
+            $savex = $this->GetX(); $savey = $this->GetY();
+            // scale to user ordinates
+            $this->SetY( $this->S($y));
+            $this->SetX( $this->S($x));
+        } else {
+            /* restore X Y ordinates */
+            $this->SetY( $savey); // different from SetXY()
+            $this->SetX( $savex); // different from SetXY()
+        }
+        $restored = $restoreXY;
+        return( $this->S($w) );
+    }
+
+    // print Date  on left or right side
+    /*private*/ function PrintDate( $x=10, $y=10, $dstrg="teus", $dvalue="1945-10-6", $field = NULL , $RL = 'L')
+    {
+        static $TextProps = array('strokeColor' => LLBLUE, 'value' => "", 'fillColor' => LBLUE , 'textSize' => '11', 'charLimit'=> 10);
+        $TextProps['userName'] = $this->unhtmlentities( _("yyyy-mm-dd") );
+
+        $this->SetFont( FONT, '', F_SIZE);
+        $this->SetXY($RL == 'L'? $x : $x-50, $y);
+        $this->Cell(50, 3, $dstrg, 0, 0, $RL);
+        if($dvalue) {
+            $this->SetXY($RL == 'L'? $x :$x-50, $y+3.5);
+            $this->SetFont(FONT, "B", F_SIZE);
+            $this->Cell(50, 3, $dvalue, 0 , 0, $RL);
+        }
+        if( $field == NULL ) return;
+        $TextProps['value'] = $dvalue;
+        $this->TextField($field, $this->SetFieldXY(($RL == 'L'? $x+1 : $x-17), ($y+3.5),17), 5, $TextProps );
+        $this->SetFieldXY();
+    }
+
+    // Add import HTML text  eg from CCA
+    /*public*/ function PrintHTML( $url = NULL ) {
+            if( $url == NULL OR $url == "" ) return;
+            $error = ""; $title = ""; $url = POLICY.$url.EXT;
+            if( ! file_exists($url) ) $url = WEB."/".$url;
+            $data = file_get_contents($url);
+            if( !$data ) $error = "\nInternal Error: no ".$url." found.";
+            else {
+                $regs = array();
+                preg_match('/<[Tt][Ii][Tt][Ll][Ee][^>]*>/', $data, $regs);
+                if( count($regs) < 1 ) $error .= "\nInternal Error: no open tag title found on $url.";
+                else {
+                    $start = strpos($data, $regs[0]) + strlen($regs[0]);
+                    $data = substr($data, $start);
+                }
+                $regs = array();
+                preg_match('/<\/[Tt][Ii][Tt][Ll][Ee][^>]*>/', $data, $regs);
+                if( count($regs) < 1 ) $error .= "\nInternal Error: no close title tag found on $url.";
+                else {
+                    $end = strpos($data, $regs[0]);
+                    $title = trim(substr($data,0,$end));
+                    $data = substr($data, $end+strlen($regs[0]));
+                }
+                $regs = array();
+                preg_match('/<[Bb][oO][Dd][yY][^>]*>/', $data, $regs);
+                if( count($regs) < 1 ) $error .= "\nInternal Error: no open html body tag found on $url.";
+                else {
+                    $start = strpos($data, $regs[0]) + strlen($regs[0]);
+                    $data = substr($data, $start);
+                }
+                $regs = array();
+                preg_match('/<\/[Bb][oO][Dd][yY][^>]*>/', $data, $regs);
+                if( count($regs) < 1 ) $error .= "\nInternal Error: no closing html body tag found on $url.";
+                else {
+                    $end = strpos($data, $regs[0])-1;
+                    $data = substr($data, 1, $end);
+                }
+            }
+            if( !$title ) $title = $url;
+            $this->SetCol();
+            $this->setFont(FONT, F_SIZE);
+            if( !$error ) {
+                $this->PrintHeader(_($title), $this->unhtmlentities( _('policy document') ), strncmp($url,WEB,strlen(WEB))==0? $url : (WEB."/".$url));
+		if( $title ) $this->Bookmark($title,0);
+                $this->writeHTMLCell($this->colwidth,2.5,$this->lMargin+1,$this->GetY()+2.5,
+                   $data, 0,2,0,'L');
+            }
+            else
+                $this->MultiCell($this->colwidth, 3, $error);
+    }
+
+    /*private*/ function PrintCOAP($organisation = NULL, $registry = NULL, $assurer = NULL, $assurance = NULL){
+	    $this->SetCol();
+            $this->PrintHeader($this->unhtmlentities( _('CAcert Organisation Assurance Programme'), _('Organisation Information (COAP) form'), defined('ASSCOAP')?ASSCOAP:"",defined('WEB')? WEB.substr(__FILE__, strrpos(__FILE__,"/")) : "") );
+	    // define slighly different footer message
+            $this->myFooter("V". substr($this->Version(), 0, strpos($this->Version(), '.')).", ". $this->unhtmlentities( _('generated')." ".date("Y-n-j") ));
+            $this->AssuranceInfo();
+            $this->InfoOrganisation($organisation, $registry);
+            $this->StatementOrganisation($organisation);
+            $this->StatementAssurer( $assurer, $assurance );
+    }
+    
+    //Add form and/or CCA (on duplex only when more as one page is printed)
+    /*public*/ function PrintForm( $organisation = NULL, $registry = NULL, $assurer = NULL, $page = NULL ) {
+
+        for($cnt=0  ; $cnt < $this->ncols; $cnt++ ) {
+            if( !isset( $page['form']) OR $page['form'] ) {
+                // the form is one page, use new room?
+                if ( $organisation == NULL OR $registry == NULL OR $assurer == NULL )
+                    $this->Error("Organisation or Assurer data records failure");
+                $this->PrintCOAP( $organisation, $registry, $assurer);
+             }
+            // print off policy documents to be included in pdf file
+            foreach( $page['policies'] as $i => $file ) {
+                $this->Watermark = WATERMARK; // no watermark on these pages
+                if( $file ) $this->PrintHTML( $file );
+             }
+	     if( $this->col > 0 OR $this->getPage() > 1 ) break;
+         }
+         if( $this->getPage() > 1 ) {
+              // and on duplex print back side with Community Agreement
+              if( $this->CurOrientation == 'P' )
+                  $this->ViewerPrefs['Duplex'] = 'DuplexFlipLongEdge';
+              else
+                  $this->ViewerPrefs['Duplex'] = 'DuplexFlipShortEdge';
+         }
+       // close up this column, make sure footer is printed.
+       $this->my_header_msg = NULL; $this->SetCol($this->col);
+    }
+
+// Set form title (right align)
+/*public*/ function PrintHeader($title1 = " ", $title2 = " " , $url1 = NULL, $url2 = NULL) {
+            // store current top margin value
+            $tSide = $this->tMargin;
+
+            // CAcert logo
+            // eps should be better, but it does not seem to work with CAcert logo
+            $this->rMargin -= 1;
+	    $this->myFooter($title1,$url1);
+	    $this->myHeader($title2,$url2);
+	    if( LOGO_TYPE == '.eps' )
+                $this->ImageEPS(BW?LOGO.'mono'.LOGO_TYPE:LOGO.'colour'.LOGO_TYPE,
+                                ($this->lMargin+$this->colwidth)-51,$tSide-3,51);
+            else
+                // png image 1000 X 229 * 8 bits
+                $this->Image(BW?LOGO.'mono'.LOGO_TYPE:LOGO.'colour'.LOGO_TYPE,
+                                ($this->lMargin+$this->colwidth)-51,$tSide-3,51,0,0,
+                                NULL,0,true,intval(LOGO_DPI));
+            $this->myLink($this->lMargin+$this->colwidth-51, $tSide-3,51,51/1000*229,WEB."/");
+            // form type
+            $this->SetFont(FONT,'B',F_SIZE+5);
+            $this->SetY($tSide+5); $this->SetX($this->lMargin);
+            $l = $this->GetStringWidth($title1);
+            $this->Cell($this->colwidth+1,14,$title1,0,0,'R',0,NULL);
+	    if( $url1 != NULL AND $url1 != "" )
+                $this->myLink($this->lMargin+$this->colwidth-$l,$this->GetY()+5,$l,(F_SIZE+5)/2.9,$url1);
+            $this->Ln(5); $this->SetX($this->lMargin);
+            $l = $this->GetStringWidth($title2);
+            $this->Cell($this->colwidth+1,14,$title2,0,0,'R',0,NULL);
+	    if( $url2 != NULL AND $url2 != "" )
+                $this->myLink($this->lMargin+$this->colwidth-$l,$this->GetY()+5,$l,(F_SIZE+5)/2.9,$url2);
+
+            // CAcert Inc. postbox address
+            $this->Ln(6); $this->SetX($this->lMargin);
+            $this->SetFont(FONT,'',F_SIZE);
+            $savex = $this->GetX(); $savey = $this->GetY();
+            $strg = POBOX ." - ". WEB;
+            $this->SetXY($this->lMargin+$this->colwidth-$this->GetStringWidth($strg)-1.1,$this->GetY()+3.5); // right align
+            if( !BW ) $this->SetTextColor(17,86,140);
+            $ret = $this->Write(0,  $strg, NULL);
+            $l = $this->GetStringWidth($strg);
+            $this->myLink($this->lMargin+$this->colwidth-$l,$this->GetY()+0.5,$l,F_SIZE/2.9,WEB);
+            $this->Ln();
+            if( !BW ) $this->SetTextColor(0);
+            $this->SetXY($savex,$savey);
+
+            // sha1 fingerprint CAcert rootkeys class 1 and class 3
+            $strg = $this->unhtmlentities( _("CAcert's Root Certificate sha1 fingerprints") ) . ", class 1: ". CLASS1_SHA1 . ", class 3: " . CLASS3_SHA1;
+            $this->Ln(3); $this->SetX($this->lMargin);
+            $this->SetFont(FONT,'',F_SIZE * $this->colwidth / ($this->GetStringWidth($strg) +1));
+            $this->Cell($this->colwidth,10, $strg,0,0,'C',0,NULL);
+            $this->myLink($this->lMargin, $this->GetY()+4,$this->colwidth,F_SIZE/2.9,ROOTKEYS);
+            $this->SetLineWidth(0.1);
+            if ( BW ) { $this->SetDrawColor(195);
+            } else { $this->SetDrawColor(17,86,140);
+            }
+
+            $this->Line($this->lMargin, $tSide+25, $this->lMargin+$this->colwidth, $tSide+25);
+            $this->SetLineWidth(0.2); $this->SetDrawColor(0);
+            $this->rMargin += 1;
+            $this->SetXY($this->lMargin, $tSide+26); // top
+    }
+
+// Set general form information
+    /*private*/ function PrintInfo( $strg = "", $url = "") {
+            // store current margin values
+
+            // Print text blurb paragraph at top of page
+            $this->SetFont(FONT,'',F_SIZE+0.5);
+            $this->SetXY($this->lMargin, $this->GetY()-1.5);
+            $y = $this->GetY(); $x = $this->GetX();
+            $cnt=$this->MultiCell($this->colwidth+1, 0, $strg,0,'L',0,2);
+            if ( $url != "" ) // link should be in user space
+                $this->myLink($x, $y, $this->colwidth, $this->GetY()-$y, $url);
+            return($cnt);
+    }
+
+// print general CAP info
+/*public*/ function AssuranceInfo( ) {
+            // store current margin values
+            $cellcnt = 0;
+            $this->SetY($this->GetY()+0.5);
+            $this->Bookmark($this->unhtmlentities( _('CAcert COAP form') ),0,$this->S($this->GetY()));
+
+            // Show text blurb at top of page
+            $strg = $this->unhtmlentities( _('The CAcert Organisation Programme (COAP) aims to verify the identity of the organisation.') );
+            $strg .= "\r\n". $this->unhtmlentities( _('The Applicant asks the Organisation Assurer to verify to CAcert Community that the information provided by the Applicant is correct, and according to the official trade office registration bodies.') );
+            $cellcnt += $this->PrintInfo( $strg, defined('ASSINTRO')? ASSINTRO:"");
+            $cellcnt += $this->PrintInfo( $this->unhtmlentities( _('For more information about the CAcert Organisation Assurance Programme, including detailed guides to CAcert Organisation Assurers, please visit:')." ".WEB, defined('ASSCOAP')?ASSCOAP:"") );
+            $cellcnt += $this->PrintInfo( $this->unhtmlentities( _('A CAcert Arbitrator can require the Organisation Assurer to deliver the completed forms and accompanying documents in the event of a dispute.'),defined('ARBIT')?ARBIT:"") );
+            $this->SetY($this->GetY()+0.3);
+            return( $cellcnt);
+        }
+
+    // print empty table with title for statements (called twice per table)
+    /*private*/ function PrintTable( $strg = NULL, $height = -1, $ext = 0 ) {
+        // store current margin values
+        static $tSide = -1;
+        static $title = "";
+        if( $height < 0 ) { // mark table position, leave room for title
+            if( $strg != "" ) $title = $strg;
+            if( $title == "" ) return ($this->GetY()); // nothing to do
+            $tSide = $this->GetY()+1;
+	    // background
+            if ( BW ) {
+                $this->SetFillColor(195);
+                $this->SetDrawColor(195);
+            } else {
+                $this->SetFillColor(173,197,215);
+                $this->SetDrawColor(173,197,215);
+            }
+            $this->Rect($this->lMargin-1,$tSide-1,1,9, "F");
+            $this->Rect($this->lMargin-1,$tSide-1,$this->colwidth,1, "F");
+            $this->SetFillColor(255);
+            if ( BW ) { $this->SetFillColor(125);
+            } else { $this->SetFillColor(17,86,140);
+            }
+            $this->Rect($this->lMargin,$tSide,$this->colwidth,7, "DF");
+            $this->SetFillColor(255); $this->SetDrawColor(0);
+
+            $this->SetXY($this->lMargin+1, $tSide+0.6);
+            $this->Bookmark($title,1,$this->S($tSide));
+            $this->SetFont(FONT, '', F_SIZE+7);
+            $this->SetTextColor(255);
+            $this->Write(0, $title);
+            $this->SetTextColor(0);
+            $this->SetXY($this->lMargin+1, $tSide + 7);
+            $tSide += 8; // save old top
+            if ( $height != 0 ) return($this->GetY());
+        }
+        elseif( $tSide < 0 ) return( $this->GetY());
+        if( $height == 0 )  { // interrupted bottum of column reached
+            $height = $this-GetY() - $tSide; $save = $title;
+            $this->PrintTable("", $height); // finish till bottumn page
+            $tSide = $this->originalMargin;
+            $title = $save;
+            return( $this->GetY());
+        }
+        if( $strg != "" ) $title = $strg; // just to be defensive
+
+	// background
+        if ( BW ) {
+            $this->SetFillColor(195);
+            $this->SetDrawColor(195);
+        } else {
+            $this->SetFillColor(173,197,215);
+            $this->SetDrawColor(173,197,215);
+        }
+        $this->Rect($this->lMargin-1,$tSide,1,$height-1+$ext, "F");
+        if( $ext )
+            $this->Rect($this->lMargin-1,$tSide+$height,$this->colwidth,$ext, "F");
+        $this->SetFillColor(255);
+        // borders of the table left, bottumn, right
+        $this->Line($this->lMargin,$tSide+$height-1, $this->lMargin, $tSide+$height);
+        $this->Line($this->lMargin,$tSide+$height,$this->lMargin+$this->colwidth,$tSide+$height);
+        $this->Line($this->lMargin+$this->colwidth,$tSide-1, $this->lMargin+$this->colwidth, $tSide+$height);
+        $this->SetDrawColor(0);
+	$this->SetY($tSide + $height + 1); // set Y ordinate to plus 7 
+        $tSide = -1; $title = "";
+	return($this->GetY());
+    }
+
+// a name, email address, phone number
+    /*private*/ function PrintName( $info = "", $title = "", $field = "", $name = "", $email = NULL, $phone = NULL, $backgrnd = false ) {
+        static $TextProps = array('strokeColor'=> LLBLUE, 'value' => " ", 'fillColor'=> LBLUE, 'doNotScrole'=> 'false', 'textSize' => 10, 'rotate'=> '0');
+
+        // just once to recover from Acrobat 7.0 problem !!!!!!!!!!!!!!!!!!!!!!!!!!
+        // make sure before the first time form field JS is called the fake is done
+        static $AcrobatName = array('strokeColor'=> LLBLUE, 'fillColor'=> LLBLUE, 'readonly' => 'true');
+        if( $AcrobatName != NULL ) {
+            $this->TextField( 'NameNone', $this->SetFieldXY(300, $this->GetY()+2, 0), 0, $AcrobatName);
+            $this->SetFieldXY(); $AcrobatName = NULL;
+        }
+        // end of Acrobat defeat !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+        $cellcnt = 1; $msg = "";
+        // put assurer help for assurance in pdf file for mouse over
+        if ( $info != "" ) $msg = $info;
+        if ( $email != NULL AND $email != "" AND $title != "" )
+            $msg .= " ". $this->unhtmlentities( _('The email address, which matches the CAcert account email address, is handy for administrative and contact reasons. For organisation administrator the email address is required.') );
+        if( $msg != "" )
+            $this->myLink($this->lMargin-7, $this->GetY()-1, 5, 3, $msg,
+                array('subtype'=> 'Text', 'Open' => true,
+                      'c'=> array(173,197,215), 'name' => 'Comment',
+                      'f'=> array( 'nozoom', 'readonly', 'norotate'),
+                      't'=> $this->unhtmlentities( _('COAP form help') ))
+             );
+        if( $backgrnd ) {
+            if ( BW ) {
+                $this->SetFillColor(241);
+            } else {
+                //$this->SetFillColor(173,197,215); 
+                $this->SetFillColor(234, 241, 246);
+            }
+            $this->Rect($this->lMargin+37.5,$this->GetY()+0.1,
+                        $this->colwidth-38.5,
+                        ($email != NULL AND $email != "") ? 5.7 : 2.8,
+                        "F");
+            $this->Rect($this->lMargin+1,$this->GetY()+0.1,
+                        35.5,
+                        ($email != NULL AND $email != "") ? 5.7 : 2.8,
+                        "F");
+            $this->SetFillColor(255);
+        }
+        // assurer identity info
+        $this->SetX($this->lMargin+1);
+        $savey = $this->GetY();
+        $this->SetFont(FONT, '', F_SIZE);
+        $l = $this->GetStringWidth($title);
+        //$l = ($l<=0? 0 : ($l < 35? 35 : $l));
+        $l = $l < 35 ? 35 : $l;
+        $this->Write(0, $title);
+        $this->SetXY($this->lMargin+2+$l, $savey);
+        if( $name ) {
+            $this->SetFont(FONT, 'B', F_SIZE);
+            $this->SetXY( $this->lMargin+2 + $l, $savey-1);
+            $cellcnt += $this->MultiCell($this->colwidth-$l-3, 3, $name, 0, 1);
+            if( function_exists('utf8_to_ascii') AND
+              !utf8_is_ascii_ctrl( $name) )
+                $ascii = utf8_to_ascii($name);
+            else
+                $ascii = "";
+            if( $ascii == $name ) $ascii = "";
+            if( $email != NULL ) $abbr = $this->Abbreviate( $name ); else $abbr="";
+            if( $ascii != "" OR $abbr != "") {
+                    $la = $this->GetStringWidth($name) + 5;
+                    $msg = $this->unhtmlentities( _('The exact name of the individual may have transliterated characters and/or some given names may be abbreviated. If present the first given name will be shown abbreviated and parentheses around the last part of the given name.') )."\r\n";
+                    if( $ascii != "" ) $msg .= '* '. $ascii . "\r\n";
+                    if( $abbr != "" ) $msg .= '* '. $abbr . "\r\n";
+                    $this->myLink($this->lMargin+$l+$la, $savey, 3, 2, $msg,
+                    array('subtype'=> 'Text', 'Open' => false,
+                          'c' => array(173,197,215), 'name' => 'Comment',
+                          'f'=> array( 'nozoom', 'readonly', 'norotate'),
+                          't' => $this->unhtmlentities( _('On the full name of the Assurer') )));
+            }
+        }
+        $TextProps['value'] =  $name ? $name : " ";
+        $TextProps['userName'] = $this->unhtmlentities( _('Full exact name of the individual.') );
+        $this->TextField($field.($email? 'Name' : ""), $this->SetFieldXY($this->lMargin+2+$l, $savey, $this->colwidth-$l-3-($phone?25:0)), 4.5, $TextProps );
+        $this->SetFieldXY();
+        if( $phone AND $phone != " " ) {
+            $sx = $this->GetX(); $sy = $this->GetY();
+            $this->SetFont(FONT, "", F_SIZE);
+	    $sw = $this->GetStringWidth($phone) + 2;
+            $this->SetXY( $this->lMargin+$this->colwidth-$sw -4, $sy-4.8);
+            $this->SetFont('zapfdingbats', "", F_SIZE+3);
+            $this->Write(0, "&"); // telephone symbol
+            $this->SetXY( $this->lMargin+$this->colwidth-$sw-1, $sy-4.1);
+            $this->SetFont(FONT, "", F_SIZE);
+            $this->Cell($sw+1,0,$phone);
+        }
+        if( $phone ) {
+            $TextProps['value'] = $phone ? $phone : $this->unhtmlentities( _('phone nr') ) . "?";
+            $TextProps['userName'] = $this->unhtmlentities( _('For organisation administrators and assurer: provide email address and optionally your phone number.') );
+            $this->TextField($field.'Phone', $this->SetFieldXY($this->lMargin+$this->colwidth-25, $savey, 24), 4.5, $TextProps ); 
+            $this->SetFieldXY();
+        }
+        $savey += 3;
+        if( $email AND $email != " " ) {
+            $this->SetXY($this->lMargin+2+$l, $savey); $cellcnt++;
+            $this->SetFont(FONT, "", F_SIZE);
+            if( !BW ) $this->SetTextColor(17,86,140);
+            $this->Write(0,  $email);
+            $this->myLink($this->lMargin+$l, $savey,$this->GetStringWidth($email), 3, "mailto:". $email . "?subject=" . $this->unhtmlentities( _('Organisation Assurance') ));
+            if( !BW ) $this->SetTextColor(0);
+        }
+        if( $email ) {
+            $TextProps['value'] = $email ? $email : $this->unhtmlentities( _('email') ) . "?";
+            $TextProps['userName'] = $this->unhtmlentities( _('For organisation administrators and assurer: provide email address and optionally your phone number.') );
+            $this->TextField($field.'Email', $this->SetFieldXY($this->lMargin+2+$l, $savey, $this->colwidth-$l-28), 4.5, $TextProps); 
+            $this->SetFieldXY(); $savey += 3;
+        }
+// phone number
+        $this->SetXY($this->lMargin+2, $savey);
+        return( $cellcnt );
+        //$H = 5; // height of the name cell
+    }
+
+// All information of Applicant goes in one table
+/*public*/ function InfoOrganisation( $organisation = NULL, $registry = NULL ){ 
+        // Applicant Identity information part
+        $tSide = $this->PrintTable($this->unhtmlentities( _('Organisation Identity Information') ))+1;
+
+        $msg  = $this->unhtmlentities( _('The organisation name, director name and signature, and applicable company law is checked by the Organisation Assurer with the official Trade Office Registration (Extract) or by other means. The organisation domain name(s) are checked of ownership against the internet domain DNS records.') );
+        $msg .= "\r\nThe organisation administrator (a CAcert Assurer) email address must be the primary email address registered with CAcert.";
+        // put hint on comparing names on title table
+        $this->myLink($this->lMargin-7, $tSide-7, 5, 5, $msg,
+        array('subtype'=> 'Text', 'Open' => true,
+              'c'=> array(173,197,215), 'name' => 'Comment',
+              'f'=> array( 'nozoom', 'readonly', 'norotate'),
+              't'=> $this->unhtmlentities( _('On organisation identity information') )));
+
+        $this->SetXY($this->lMargin+1, $tSide);
+        $this->PrintName(
+                         $this->unhtmlentities( _('The official full name of the organisation equal to the name of the organisation registered e.g. at the trade office registration of the state.') ),
+                         $this->unhtmlentities( _('Name of the organisation') )."  ",
+                         "OrganisationNames0",
+                         $organisation['namecnt']>0?$organisation['names'][0]:" ",
+                         NULL, NULL, true);
+        $this->PrintName(
+                         $this->unhtmlentities( _('The organisation address which should be equal to the address registered with the trade office.') ),
+                         $this->unhtmlentities( _('Address (comma separated)') )."  ",
+                         "OrganisationAddress",
+                         $organisation['address'],
+                         NULL, NULL, true);
+        $strg = "";
+        foreach( array(  $organisation['type'],  $organisation['state'],  $organisation['country']) as $i )
+             if( $i != "" ) $strg .= ($strg != "" ? ", ": "") . $i;
+        $this->PrintName(
+                         $this->unhtmlentities( _('The legal organisation type: eg Ltd, EPS, society, foundation, association, etc. The state/country under which jurisdiction the organisation operates.') ),
+                         $this->unhtmlentities( _('Type, jurisdiction (state)') )."  ",
+                         "OrganisationType",
+                         $strg,
+                         NULL, NULL, true);
+        //$this->Ln(0.4);
+        $strg = $organisation['namecnt'] <= 1 ? "" : $organisation['names'][1];
+        for( $i = 3; $i <= $organisation['namecnt']; $i++)
+            $strg .= ", ". $organisation['names'][$i-1];
+        $this->PrintName( $this->unhtmlentities( _('Other registered trade names of the organisation. (comma separated)') ),
+                          $this->unhtmlentities( _('Registered Trade Names') ), 'OrganisationDBA',
+                         $strg,
+                         NULL, NULL, true);
+        //$this->Ln(0.4);
+        $strg = "";
+        foreach( array( $registry['identifier'], $registry['name'], $registry['region'], $registry['date'] ) as $i )
+        if( $i != "" ) $strg .= ($strg != "" ? ", " : "") . $i;
+        $this->PrintName(
+                         $this->unhtmlentities( _('Trade Office Registry information, as organisation registration Identification number or license number, name of the trade office registry, trade office operating region, and optionally date of extract.') ),
+                         $this->unhtmlentities( _('Registration (id, name, region)') ),
+                         'torinfo',
+                         $strg,
+                         NULL, NULL, true);
+        $this->Ln(0.4);
+        $strg = ""; foreach( $organisation['domains'] as $i ) 
+            $strg .= ($strg != "" ? ", " : "") . $i;
+        $this->PrintName(
+                         $this->unhtmlentities( _('The internet domain name(s) the organisation controls and owns. The names will be checked with WHOIS with e.g. the DNS official top domain registrar e.g. the country ccTLD .<country code> registrar.') ),
+                         $this->unhtmlentities( _('Internet Domain(s)') ),
+                         'OrganisationDomains',
+                         $strg,
+                         NULL, NULL, true);
+        $this->Ln(0.4);
+        // all (max) three names with ID type right aligned.
+	// contact info o-admin address assuree
+        $cnt = $organisation['admincnt'];
+        $space = $this->getPageHeight()/$this->scale*100.0 -MINH ; // margin
+        for( $i = 0; $i < $cnt; $i++ )  { // names to be printed 
+            $this->PrintName(
+                    $this->unhtmlentities( _('The organisation administrator (CAcert Assurer) contact information. The administrator is appointed by the organisation director to administer the organisation domain certificates, secure the certificates and maintain them.') ),
+                    $this->unhtmlentities( _('Organisation Administrator') ),
+                    sprintf("OrganisationAdmin%d",$i),
+                    $organisation['admins'][$i]['name'],
+                    $organisation['admins'][$i]['email']? $organisation['admins'][$i]['email']:" ",
+                    $organisation['admins'][$i]['phone']? $organisation['admins'][$i]['phone']:" ",
+                    TRUE);
+            if( $space < $this->getY() ) break;
+        }
+        for( $j=0 ; $j < $i+3; $j++ ) {
+            // empty fields up to max 3 empty fields and allowed space
+            if( $space < $this->getY() ) break;
+            $this->PrintName(
+			    $i+$j == 0? $this->unhtmlentities( _('The organisation administrator (CAcert Assurer) contact information. The administrator is appointed by the organisation director to administer the organisation domain certificates, secure the certificates and maintain them.') ):"",
+			    $i+$j > 0? "": $this->unhtmlentities( _('Organisation Administrator') ),
+                            sprintf("OrganisationAdmin%d",$i+$j),
+                    "", " ", " ", TRUE);
+        }
+        $this->Ln(0.8);
+        //$this->SetXY($this->lMargin+1, $this->GetY()+0.35);
+	$next = $this->PrintTable( "", $this->GetY()-$tSide, 5);
+	$this->SetY($next);
+}
+
+    // print marked paragraph in the table
+    /*private*/ function PrintTicked( $strg = "", $tick = true ) {
+        // store current margin values
+        $savey = $this->GetY();
+
+	$celcnt = 0; $this->SetX($this->lMargin + 1);
+	if( $tick ) {
+            // use ✔ and � of zapfdingbats font for OK tick
+            $savex = $this->GetX();
+	    $this->SetXY($this->GetX(), $savey+0.9);
+            $this->SetFont("zapfdingbats", F_SIZE+3);
+            $this->Write(0,"q"); // �
+            $this->SetXY($savex+0.1, $savey+0.1);
+            if ( BW )
+                $this->SetTextColor(80);
+            else
+                $this->SetTextColor(17, 86, 140);
+                //$this->SetTextColor(0,92,0); // #00BE00 lime
+            $this->Write(0,"4 ");// ✓
+            $this->SetTextColor(0);
+        }
+        $this->SetXY($this->GetX(), $savey);
+        $this->SetFont(FONT,'',F_SIZE+0.5);
+        $celcnt = $this->MultiCell($this->lMargin+$this->colwidth-$this->GetX(), 3, $strg,0,'L');
+	$this->SetXY($this->lMargin+1, $this->GetY()-1.5);
+	return($celcnt);
+    }
+
+// assuree statement
+/*public*/ function StatementOrganisation( $organisation = NULL ) {
+        // store current margin values
+	$cellcnt = 0;
+
+        // assuree statement section
+        $tSide = $this->PrintTable($this->unhtmlentities( _("Organisation's Statement") )); // mark table header
+        $msg  = $this->unhtmlentities( _('The Director indicated by the Trade Office Registry Extract, has to underwrite the correctness of the information for the organisation and allowance of certificate operations by the administrators.') );
+        $msg .= "\r\nFor formal contact with the organisation the email address of the organisation is required.";
+        // put hint on comparing names on title table
+        $this->myLink($this->lMargin-7, $tSide-7, 5, 5, $msg,
+        array('subtype'=> 'Text', 'Open' => true,
+              'c'=> array(173,197,215), 'name'=> 'Comment',
+              'f'=> array( 'nozoom', 'readonly', 'norotate'),
+              't'=> $this->unhtmlentities( _("On director's statement") )));
+
+        $cellcnt += $this->PrintTicked( $this->unhtmlentities( _("Make sure you have read and agreed with the CAcert Community Agreement") ), false /* no tick */);
+        if( !BW ) $this->SetTextColor(17, 86, 140);
+        $this->SetXY($this->lMargin+2,$this->GetY()-0.5);
+        $ret = $this->Write($this->lasth, WEB."/".POLICY.CCA.EXT, NULL);
+        $this->myLink($this->lMargin+1, $this->GetY()-F_SIZE/2.9, $this->colwidth-2, F_SIZE*2.9/2.9, WEB."/".POLICY.CCA.EXT);
+        $this->Ln(4);
+        if( !BW ) $this->SetTextColor(0);
+        $this->Ln(0.3);
+
+        $this->PrintName($this->unhtmlentities( _('Name and contact details (organisation email address & optionally phone number), of the Director of the organisation as is referred to in the trade office extract.') ),
+                         $this->unhtmlentities( _('Director') ), "OrganisationDirector", $organisation['director'],
+                         $organisation['email']?$organisation['email'] : "email:",
+                         $organisation['phone']? $organisation['phone']:" ");
+        $cellcnt += $this->PrintTicked( $this->unhtmlentities( _('I agree to the CAcert Community Agreement.') ), true /* tick */);
+        $cellcnt += $this->PrintTicked( $this->unhtmlentities( _('I hereby confirm that all information is complete and accurate and will notify CAcert of any updates or changes thereof.') ), true /* tick */);
+        $cellcnt += $this->PrintTicked( $this->unhtmlentities( _('I am duly authorised to act on behalf of the organisation, I grant operational certificate administrative privileges to the specified Organisation Administrator and, I request the Organisation Assurer to verify the organisation information according to the Assurance Policies.') ), true /* tick */);
+
+        $this->Ln(0.5);
+        $savey = $this->GetY();
+        $strg = $this->unhtmlentities( _('Date') );
+        if($organisation['date'] == "")
+            $strg .=  " (". $this->unhtmlentities( _("yyyy-mm-dd") ). ")";
+        $strg = $strg;
+        $this->PrintDate( $this->lMargin+1, $savey+1, $strg, $organisation['date'], 'OrganisationDate', 'L');
+
+	$strg = $this->unhtmlentities( _('Signature and organisation stamp') );
+        $this->SetFont(FONT, '', F_SIZE);
+	$l = $this->GetStringWidth( $strg );
+	$this->SetXY($this->lMargin+$this->colwidth-$l-3, $savey+1);
+        $this->Write(0, $strg); $this->Ln(7) ; // and leave some room
+
+        // draw the table borders and header at marked ordinate
+        $next = $this->PrintTable("", $this->GetY()-$tSide);
+
+        $this->SetY($next);
+    }
+
+// assurer statement
+ /*public*/ function StatementAssurer( $assurer = NULL ) {
+        if( $assurer == NULL ) return;
+
+        // store current margin values
+        $TextProps = array('strokeColor'=> LLBLUE, 'value' => "", 'fillColor'=> LBLUE, 'doNotScrole'=> 'true', 'textSize' => '14', 'rotate'=>0);
+	$cellcnt = 0;
+
+        $tSide = $this->PrintTable($this->unhtmlentities( _("Organisation Assurer's Statement") )); // mark table ordinate
+        // put assurer help for assurance in pdf file for mouse over
+        $msg = $this->unhtmlentities( _('The organisation assurer will check the trade office registry for company information (name, location, country of jurisdiction, director names, trade office Identification number, domain name ownership, and system admin reference). Any associated costs for this research will be reimborsed by the assurer from the organisation.') );
+        $this->myLink($this->lMargin-7, $tSide-6, 5, 5, $msg,
+        array('subtype'=> 'Text', 'Open' => true,
+              'c'=> array(173,197,215), 'name'=> 'Comment',
+              'f'=> array( 'nozoom', 'readonly', 'norotate'),
+              't'=> $this->unhtmlentities( _('On mutual assurance') )));
+        // assurer identity info
+        $this->Ln(0.9);
+        $this->PrintName(
+                           $this->unhtmlentities( _('The Organisation Assurer contact information. This assurer will verify the organisation identity and registration information.') ),
+                           $this->unhtmlentities( _('Organisation Assurer') ) . " ","Assurer",
+                           $assurer['name'],
+                           $assurer['email']? $assurer['email']:" ",
+                           $assurer['phone']? $assurer['phone']:" ");
+
+        // assurer statements
+        $this->SetY($this->GetY()-0.5);
+        $cellcnt += $this->PrintTicked( $this->unhtmlentities( _("I, the Assurer, hereby confirm that I have verified the official Information for the organisation, I will witness the organisation's identity in the CAcert Organisation Assurance Programme, and complete the Assurance.") ), true /* ticked */);
+        $cellcnt += $this->PrintTicked( $this->unhtmlentities( _('I am a CAcert Community Member, have passed the Organisation Assurance Challenge, and have been appointed for Organisation Assurances within the country where the organisation is registered.') ), true /* ticked */);
+        $this->Ln(1); $savey = $this->GetY();
+
+        $strg =  $this->unhtmlentities( _('Date') );
+        if( $assurer['date'] == "" ) $strg .= " (" . $this->unhtmlentities( _("yyyy-mm-dd") ).")";
+        $strg = $strg;
+        $this->PrintDate( $this->lMargin+1, $savey, $strg, $assurer['date'], 'AssurerDate', 'L');
+
+        $this->SetXY($this->lMargin+1, $savey);
+        $this->SetFont(FONT, "",F_SIZE);
+        $strg = $this->unhtmlentities( _("Organisation Assurer's signature") );
+        $this->SetXY($this->lMargin+$this->colwidth-$this->GetStringWidth($strg)-3, $savey);
+        $this->Write(0, $strg );
+        $savey = $this->GetY()+7; // leave room for date and signature
+        if( $this->GetPageHeight()/$this->scale*100.0-$savey > MARGIN+4)
+           $savey += 2;
+        $this->SetXY($this->lMargin+1, $savey);
+        $l =  $this->GetPageHeight()/$this->scale*100.0-$this->GetY() - MARGIN;
+        if($l > 3 ) $l = 3; if( $l > 0 ) $this->Ln($l); // try to come close to margin
+        $next = $this->PrintTable("", $this->GetY()-$tSide);
+        $this->SetY($next);
+    }
+
+// End of CAPPDF TCPDF class extension
+}
+
+
+// --------------------------------------------------------------------------------
+// import environmental data -------------------------------------------------------
+// get $form, $orientation, $assuree, $assurer, $assurance info
+// FONT and BW are set already
+
+// import info 
+$utf8 = false;
+function GET( $key = "" ) {
+    global $utf8;
+    $strg =   array_key_exists( $key, $_GET) ? $_GET[$key] : "";
+    if(!$utf8 AND $strg  != "" AND
+            !utf8_is_ascii_ctrl($strg) AND
+            !function_exists('utf8_to_ascii')) {
+                $utf8 = true;
+    }
+    return( $strg );
+}
+
+// form, CCA and page format info
+    $page['format'] = strtolower(GET('format')); // A3, A4, A5, letter, legal, etc.
+    if( !$page['format'] ) $page['format'] = 'a4'; // default a4, portrait
+    // on landscape orientation we do two half pages
+    $page['orientation'] = strtolower(GET('orientation'));
+    if( $page['orientation'] != 'l' AND $page['orientation'] != "landscape" ) {
+        $page['orientation'] = 'p'; // default is portrait and 1 up
+    }
+    $page['form'] = GET('noform') != "" ? false : true;
+    // dft is now true it should go to true
+    $page['policies'] = array();
+    if( GET('nocca') == "" ) {
+        if( defined('CCA') ) $page['policies'][] = CCA;
+    }
+    // set $page['form'] on 'simplex' or 'duplex' to get CCA on pdf page
+
+// Assurer info
+$assurer = array ( 'name'      => my_recode(GET('assurer')) ,
+                   'email'     => my_recode(GET('assureremail')),
+                   'date'      => my_recode(GET('assurerdate')),
+                   'phone'     => my_recode(GET('assurerphone')),
+                  );
+
+/*
+// assurance info
+$assurance = array ( 'location' => my_recode(GET('location')),
+                     'date'     => my_recode(GET('assurancedate'))?my_recode(GET('assurancedate')):
+                                   my_recode(GET('date')),
+                     'notes'    => '' // not yet used
+                  );
+*/
+
+// trade office info
+$registry = array (
+                     'identifier' => my_recode(GET('identifier')),
+                     'date'     => my_recode(GET('tordate')),
+                     'region'   => my_recode(GET('torregion')),
+                     'name'       => my_recode(GET('tor')),
+                  );
+
+// Assuree info
+$organisation = array (
+                   'names'      => array( ), // [0] full name, [>0] DBA's
+                   'namecnt'    => 0,
+                   'date'       => my_recode(GET('date')) == "now" ? date("Y-m-d") : 
+                                   my_recode(GET('date')),
+                   'address'    => my_recode(GET('address')),
+                   'state'	=> my_recode(GET('state')),
+                   'country'	=> my_recode(GET('country')),
+                   'type'	=> my_recode(GET('type')),
+                   'director'   => my_recode(GET('director')),
+                   'email'      => my_recode(GET('email')),
+                   'phone'      => my_recode(GET('phone')),
+                   'domains'    => array(),      // dns names for server certs
+                   'admincnt'   => 0,
+                   'admins'	=> array(), // name, email, phone
+                 );
+
+if( $assurer['date']      == "now" ) $assurer['date']   = date("Y-m-d");
+//if( $registry['date']     == "now" ) $registry['date']  = date("Y-m-d");
+
+function Dstr( $first = "", $strg = "", $cnt = 0 ) {
+    return( $cnt>0? sprintf("%s%d%s", $first, $cnt, $strg) : $first.$strg );
+}
+// company name info and trade names
+$j = 0; // after two successive empty names we stop
+for( $i = -1; $i <= 9 AND $j < 3; $i++) { // max 9 names we only print 4 max...
+    $name = my_recode(GET(Dstr($i>=0? "dba" : "name", "", $i)));
+    if( $name ) { $j = 0;
+        $organisation[ 'namecnt' ]++;
+        $organisation[ 'names' ] [] = $name;
+    } else  $j++;
+}
+// administrator info
+$j = 0; // after two successive empty names we stop
+for( $i = 0; $i <= 9 AND $j < 2; $i++) { // max 9 names we only print 4 max...
+    $name = my_recode(GET(Dstr("admin", "", $i)));
+    if( $name ) { $j = 0;
+        $organisation[ 'admincnt' ]++;
+        $organisation[ 'admins' ] [] = array (
+            'name' => $name ? $name : "",
+            'email' => my_recode(GET(Dstr("admin","email",$i))),
+            'phone' => my_recode(GET(Dstr("admin","phone",$i))),
+        );
+    } else  $j++;
+}
+// organisation domain names convert to array of lowercased names
+$j = 0; $domains = "";
+for( $i = 0; $i <= 25 AND $j < 2; $i++ ) {
+    $name = my_recode(GET(Dstr("domain", "", $i)));
+    if( $name ) { $j = 0;
+        if( $domains != "" ) $domains .= ",";
+        $domains .= strtolower($name);
+    } else $j ++;
+} 
+$i = 0;
+if( $domains ) { // csv list to array and trim white spaces
+    $domains = strtok($domains,',');
+    for( ; $domains != ""; $i++) {
+         $organisation['domains'][$i] = trim($domains); $domains = strtok(',');
+    }
+    sort( $organisation['domains'] );
+} else $organisation['domains'][0] = " ";
+unset($domains);
+
+// try to get policy documents names to be printed off
+$j = 0; // after two successive empty name we stop searching
+for( $i = 1; $i <= 9 AND $j<2; $i++ ) {
+   $name = GET(sprintf("policy%d", $i));
+   if( $name != "" ) { $page['policies'][] = $name; $j = 0; }
+   else $j++;
+}
+
+if( $utf8 ) { // have scanned arguments for non-ascii code now
+    //require_once("../utf8/native/core.php");
+    // only for to upper case require_once("../utf8/utils/unicode.php");
+                require_once ( UTF8_ASCII );
+}
+
+unset( $i ); unset( $j); unset( $utf8 ); // unset($_GET);
+// end of arguments imports
+
+    header("Expires: ".gmdate("D, j M Y G:i:s \G\M\T", time()+10800));
+    header("Content-Disposition: attachment; filename=CAcert cap.pdf");
+    header("Cache-Control: public, max-age=10800");
+    header("Pragma: cache");
+//  Content-Type and Content Length is done by tcpdf package
+
+// create new PDF document =====================================================
+    $pdf = new COAPPDF(
+       /* PDF_PAGE_ORIENTATION */ $page['orientation'],
+       PDF_UNIT /* mm */,
+       /* PDF_PAGE_FORMAT */ $page['format'],
+       true
+       ); 
+    $pdf->SetFormat( $page['format']  ); // set paper size scaling
+
+// protection is encryption and this will cause 3.5 times performance loss
+//    $pdf->SetProtection(array('print', 'annot-forms'));
+
+// set document property information
+    $pdf->SetCreator("LibreSSL - CAcert web application");
+    $pdf->SetAuthor("© " . date("Y") . " CAcert Inc., Australia.");
+    $pdf->SetKeywords("X.509, Organisation Assurance Programme, COAP form, digital certificates, CAcert, Community Agreement");
+    $pdf->SetTitle("CAcert Organisation Assurance Programme");
+    $pdf->SetSubject("COAP form V".$pdf->Version().", generated " . date("Y-n-j H:i:s T"));
+    if( GET('watermark') != '') $pdf->Watermark = my_recode(GET('watermark'));
+    // requires zlib and will decrease response time but increase bandwidth
+    // if no zlib is found, automatically no compression is done
+    $pdf->SetCompression(true); // turn it off when more pperformance is needed
+
+// AddSJISFont function is not present in tcpdf package !!!!
+
+//set auto page breaks
+    $pdf->SetAutoPageBreak(TRUE, MARGIN*0.707);
+
+//set image scale factor
+    $pdf->setImageScale(PDF_IMAGE_SCALE_RATIO); 
+
+//set some language-dependent strings
+    $pdf->setLanguageArray($l); 
+
+//initialize document
+    $pdf->AliasNbPages();
+
+// AND GENERATE THE FORM   ===================================
+    // generation properties which have been set from environment:
+    // BW (color), FONT (free Sans Vera), orientation (portrait, 1-up), format (A4)
+    if ( FONT == 'SJIS') $pdf->AddSJISFont();
+    $pdf->PrintForm($organisation, $registry, $assurer, $page);
+    $pdf->setViewerPreferences($pdf->ViewerPrefs);
+
+//Close and output PDF document
+    $pdf->Output("CAcert COAP.pdf", "I");
+
+//============================================================+
+// END OF FILE                                                 
+//============================================================+
+?>
diff --git a/cacert/www/cps.php b/cacert/www/cps.php
new file mode 100644
index 0000000..ed4065a
--- /dev/null
+++ b/cacert/www/cps.php
@@ -0,0 +1,1553 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+        loadem("index");
+        showheader(_("Welcome to CAcert.org"));
+?>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head>
+<meta name="description" content="CAcert Certificate Policy (CP) and Certification Practice Statement (CPS)">
+<meta name="keywords" content="Policy, Practice Statement, CPS, Issuer Statement, RFC2527, RFC3647">
+<title>Policy and Practice Statement</title>
+<style type="text/css">
+<!--
+body {
+	font-family : verdana, helvetica, arial, sans-serif;
+}
+
+pre, code, kbd, tt, samp {
+	font-family : courier, monospace;
+}
+
+th {
+	text-align : left;
+}
+
+.blockpar {
+	text-indent : 2em;
+	margin-top : 0em;
+	margin-bottom : 0.5em;
+	text-align : justify;
+}
+
+.center {
+	text-align : center;
+}
+
+.tbd {
+	color : green;
+}
+
+.errmsg {
+	color : red;
+}
+
+a:hover {
+	color : gray;
+}
+-->
+</style>
+</head>
+<body>
+
+<h1>CA Policy and CPS</h1>
+
+
+<font size="-1">
+  <li><a href="#p1">1. INTRODUCTION</a><ul>
+    <li><a href="#p1.1">1.1. Overview</a></li>
+    <li><a href="#p1.2">1.2. Document name and identification</a></li>
+    <li><a href="#p1.3">1.3. PKI participants</a><!--<ul>
+      <li><a href="#p1.3.1">1.3.1. Certification authorities</a></li>
+      <li><a href="#p1.3.2">1.3.2. Registration authorities</a></li>
+      <li><a href="#p1.3.3">1.3.3. Subscribers</a></li>
+      <li><a href="#p1.3.4">1.3.4. Relying parties</a></li>
+      <li><a href="#p1.3.5">1.3.5. Other participants</a></li>
+    </ul>--></li>
+    <li><a href="#p1.4">1.4. Certificate usage</a><!--<ul>
+      <li><a href="#p1.4.1">1.4.1. Appropriate certificate uses</a></li>
+      <li><a href="#p1.4.2">1.4.2. Prohibited certificate uses</a></li>
+    </ul>--></li>
+    <li><a href="#p1.5">1.5. Policy administration</a><!--<ul>
+      <li><a href="#p1.5.1">1.5.1. Organization administering the document</a></li>
+      <li><a href="#p1.5.2">1.5.2. Contact person</a></li>
+      <li><a href="#p1.5.3">1.5.3. Person determining CPS suitability for the policy</a></li>
+      <li><a href="#p1.5.4">1.5.4. CPS approval procedures</a></li>
+      <li><a href="#p1.5.5">1.5.5. CPS updates</a></li>
+    </ul>--></li>
+    <li><a href="#p1.6">1.6. Definitions and acronyms</a></li>
+  </ul></li>
+  <li><a href="#p2">2. PUBLICATION AND REPOSITORY RESPONSIBILITIES</a><ul>
+    <li><a href="#p2.1">2.1. Repositories</a></li>
+    <li><a href="#p2.2">2.2. Publication of certification information</a></li>
+    <li><a href="#p2.3">2.3. Time or frequency of publication</a></li>
+    <li><a href="#p2.4">2.4. Access controls on repositories</a></li>
+  </ul></li>
+  <li><a href="#p3">3. IDENTIFICATION AND AUTHENTICATION</a><ul>
+    <li><a href="#p3.1">3.1. Naming</a><!--<ul>
+      <li><a href="#p3.1.1">3.1.1. Types of names</a></li>
+      <li><a href="#p3.1.2">3.1.2. Need for names to be meaningful</a></li>
+      <li><a href="#p3.1.3">3.1.3. Anonymity or pseudonymity of subscribers</a></li>
+      <li><a href="#p3.1.4">3.1.4. Rules for interpreting various name forms</a></li>
+      <li><a href="#p3.1.5">3.1.5. Uniqueness of names</a></li>
+      <li><a href="#p3.1.6">3.1.6. Recognition, authentication, and role of trademarks</a></li>
+    </ul>--></li>
+    <li><a href="#p3.2">3.2. Initial identity validation</a><!--<ul>
+      <li><a href="#p3.2.1">3.2.1. Method to prove possession of private key</a></li>
+      <li><a href="#p3.2.2">3.2.2. Authentication of organization identity</a></li>
+      <li><a href="#p3.2.3">3.2.3. Authentication of individual identity</a></li>
+      <li><a href="#p3.2.4">3.2.4. Non-verified subscriber information</a></li>
+      <li><a href="#p3.2.5">3.2.5. Validation of authority</a></li>
+      <li><a href="#p3.2.6">3.2.6. Criteria for interoperation</a></li>
+    </ul>--></li>
+    <li><a href="#p3.3">3.3. Identification and authentication for re-key requests</a><!--<ul>
+      <li><a href="#p3.3.1">3.3.1. Identification and authentication for routine re-key</a></li>
+      <li><a href="#p3.3.2">3.3.2. Identification and authentication for re-key after revocation</a></li>
+    </ul>--></li>
+    <li><a href="#p3.4">3.4. Identification and authentication for revocation request</a></li>
+  </ul></li>
+  <li><a href="#p4">4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS (11)</a><ul>
+    <li><a href="#p4.1">4.1. Certificate Application</a><!--<ul>
+      <li><a href="#p4.1.1">4.1.1. Who can submit a certificate application</a></li>
+      <li><a href="#p4.1.2">4.1.2. Enrollment process and responsibilities</a></li>
+    </ul>--></li>
+    <li><a href="#p4.2">4.2. Certificate application processing</a><!--<ul>
+      <li><a href="#p4.2.1">4.2.1. Performing identification and authentication functions</a></li>
+      <li><a href="#p4.2.2">4.2.2. Approval or rejection of certificate applications</a></li>
+      <li><a href="#p4.2.3">4.2.3. Time to process certificate applications</a></li>
+    </ul>--></li>
+    <li><a href="#p4.3">4.3. Certificate issuance</a><!--<ul>
+      <li><a href="#p4.3.1">4.3.1. CA actions during certificate issuance</a></li>
+      <li><a href="#p4.3.2">4.3.2. Notification to subscriber by the CA of issuance of certificate</a></li>
+    </ul>--></li>
+    <li><a href="#p4.4">4.4. Certificate acceptance</a><!--<ul>
+      <li><a href="#p4.4.1">4.4.1. Conduct constituting certificate acceptance</a></li>
+      <li><a href="#p4.4.2">4.4.2. Publication of the certificate by the CA</a></li>
+      <li><a href="#p4.4.3">4.4.3. Notification of certificate issuance by the CA to other entities</a></li>
+    </ul>--></li>
+    <li><a href="#p4.5">4.5. Key pair and certificate usage</a><!--<ul>
+      <li><a href="#p4.5.1">4.5.1. Subscriber private key and certificate usage</a></li>
+      <li><a href="#p4.5.2">4.5.2. Relying party public key and certificate usage</a></li>
+    </ul>--></li>
+    <li><a href="#p4.6">4.6. Certificate renewal</a><!--<ul>
+      <li><a href="#p4.6.1">4.6.1. Circumstance for certificate renewal</a></li>
+      <li><a href="#p4.6.2">4.6.2. Who may request renewal</a></li>
+      <li><a href="#p4.6.3">4.6.3. Processing certificate renewal requests</a></li>
+      <li><a href="#p4.6.4">4.6.4. Notification of new certificate issuance to subscriber</a></li>
+      <li><a href="#p4.6.5">4.6.5. Conduct constituting acceptance of a renewal certificate</a></li>
+      <li><a href="#p4.6.6">4.6.6. Publication of the renewal certificate by the CA</a></li>
+      <li><a href="#p4.6.7">4.6.7. Notification of certificate issuance by the CA to other entities</a></li>
+    </ul>--></li>
+    <li><a href="#p4.7">4.7. Certificate re-key</a><!--<ul>
+      <li><a href="#p4.7.1">4.7.1. Circumstance for certificate re-key</a></li>
+      <li><a href="#p4.7.2">4.7.2. Who may request certification of a new public key</a></li>
+      <li><a href="#p4.7.3">4.7.3. Processing certificate re-keying requests</a></li>
+      <li><a href="#p4.7.4">4.7.4. Notification of new certificate issuance to subscriber</a></li>
+      <li><a href="#p4.7.5">4.7.5. Conduct constituting acceptance of a re-keyed certificate</a></li>
+      <li><a href="#p4.7.6">4.7.6. Publication of the re-keyed certificate by the CA</a></li>
+      <li><a href="#p4.7.7">4.7.7. Notification of certificate issuance by the CA to other entities</a></li>
+    </ul>--></li>
+    <li><a href="#p4.8">4.8. Certificate modification</a><!--<ul>
+      <li><a href="#p4.8.1">4.8.1. Circumstance for certificate modification</a></li>
+      <li><a href="#p4.8.2">4.8.2. Who may request certificate modification</a></li>
+      <li><a href="#p4.8.3">4.8.3. Processing certificate modification requests</a></li>
+      <li><a href="#p4.8.4">4.8.4. Notification of new certificate issuance to subscriber</a></li>
+      <li><a href="#p4.8.5">4.8.5. Conduct constituting acceptance of modified certificate</a></li>
+      <li><a href="#p4.8.6">4.8.6. Publication of the modified certificate by the CA</a></li>
+      <li><a href="#p4.8.7">4.8.7. Notification of certificate issuance by the CA to other entities</a></li>
+    </ul>--></li>
+    <li><a href="#p4.9">4.9. Certificate revocation and suspension</a><!--<ul>
+      <li><a href="#p4.9.1">4.9.1. Circumstances for revocation</a></li>
+      <li><a href="#p4.9.2">4.9.2. Who can request revocation</a></li>
+      <li><a href="#p4.9.3">4.9.3. Procedure for revocation request</a></li>
+      <li><a href="#p4.9.4">4.9.4. Revocation request grace period</a></li>
+      <li><a href="#p4.9.5">4.9.5. Time within which CA must process the revocation request</a></li>
+      <li><a href="#p4.9.6">4.9.6. Revocation checking requirement for relying parties</a></li>
+      <li><a href="#p4.9.7">4.9.7. CRL issuance frequency (if applicable)</a></li>
+      <li><a href="#p4.9.8">4.9.8. Maximum latency for CRLs (if applicable)</a></li>
+      <li><a href="#p4.9.9">4.9.9. On-line revocation/status checking availability</a></li>
+      <li><a href="#p4.9.10">4.9.10. On-line revocation checking requirements</a></li>
+      <li><a href="#p4.9.11">4.9.11. Other forms of revocation advertisements available</a></li>
+      <li><a href="#p4.9.12">4.9.12. Special requirements re key compromise</a></li>
+      <li><a href="#p4.9.13">4.9.13. Circumstances for suspension</a></li>
+      <li><a href="#p4.9.14">4.9.14. Who can request suspension</a></li>
+      <li><a href="#p4.9.15">4.9.15. Procedure for suspension request</a></li>
+      <li><a href="#p4.9.16">4.9.16. Limits on suspension period</a></li>
+    </ul>--></li>
+    <li><a href="#p4.10">4.10. Certificate status services</a><!--<ul>
+      <li><a href="#p4.10.1">4.10.1. Operational characteristics</a></li>
+      <li><a href="#p4.10.2">4.10.2. Service availability</a></li>
+      <li><a href="#p4.10.3">4.10.3. Optional features</a></li>
+    </ul>--></li>
+    <li><a href="#p4.11">4.11. End of subscription</a></li>
+    <li><a href="#p4.12">4.12. Key escrow and recovery</a><!--<ul>
+      <li><a href="#p4.12.1">4.12.1. Key escrow and recovery policy and practices</a></li>
+      <li><a href="#p4.12.2">4.12.2. Session key encapsulation and recovery policy and practices</a></li>
+    </ul>--></li>
+  </ul></li>
+  <li><a href="#p5">5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS (11)</a><ul>
+    <li><a href="#p5.1">5.1. Physical controls</a><!--<ul>
+      <li><a href="#p5.1.1">5.1.1. Site location and construction</a></li>
+      <li><a href="#p5.1.2">5.1.2. Physical access</a></li>
+      <li><a href="#p5.1.3">5.1.3. Power and air conditioning</a></li>
+      <li><a href="#p5.1.4">5.1.4. Water exposures</a></li>
+      <li><a href="#p5.1.5">5.1.5. Fire prevention and protection</a></li>
+      <li><a href="#p5.1.6">5.1.6. Media storage</a></li>
+      <li><a href="#p5.1.7">5.1.7. Waste disposal</a></li>
+      <li><a href="#p5.1.8">5.1.8. Off-site backup</a></li>
+    </ul>--></li>
+    <li><a href="#p5.2">5.2. Procedural controls</a><!--<ul>
+      <li><a href="#p5.2.1">5.2.1. Trusted roles</a></li>
+      <li><a href="#p5.2.2">5.2.2. Number of persons required per task</a></li>
+      <li><a href="#p5.2.3">5.2.3. Identification and authentication for each role</a></li>
+      <li><a href="#p5.2.4">5.2.4. Roles requiring separation of duties</a></li>
+    </ul>--></li>
+    <li><a href="#p5.3">5.3. Personnel controls</a><!--<ul>
+      <li><a href="#p5.3.1">5.3.1. Qualifications, experience, and clearance requirements</a></li>
+      <li><a href="#p5.3.2">5.3.2. Background check procedures</a></li>
+      <li><a href="#p5.3.3">5.3.3. Training requirements</a></li>
+      <li><a href="#p5.3.4">5.3.4. Retraining frequency and requirements</a></li>
+      <li><a href="#p5.3.5">5.3.5. Job rotation frequency and sequence</a></li>
+      <li><a href="#p5.3.6">5.3.6. Sanctions for unauthorized actions</a></li>
+      <li><a href="#p5.3.7">5.3.7. Independent contractor requirements</a></li>
+      <li><a href="#p5.3.8">5.3.8. Documentation supplied to personnel</a></li>
+    </ul>--></li>
+    <li><a href="#p5.4">5.4. Audit logging procedures</a><!--<ul>
+      <li><a href="#p5.4.1">5.4.1. Types of events recorded</a></li>
+      <li><a href="#p5.4.2">5.4.2. Frequency of processing log</a></li>
+      <li><a href="#p5.4.3">5.4.3. Retention period for audit log</a></li>
+      <li><a href="#p5.4.4">5.4.4. Protection of audit log</a></li>
+      <li><a href="#p5.4.5">5.4.5. Audit log backup procedures</a></li>
+      <li><a href="#p5.4.6">5.4.6. Audit collection system (internal vs. external)</a></li>
+      <li><a href="#p5.4.7">5.4.7. Notification to event-causing subject</a></li>
+      <li><a href="#p5.4.8">5.4.8. Vulnerability assessments</a></li>
+    </ul>--></li>
+    <li><a href="#p5.5">5.5. Records archival</a><!--<ul>
+      <li><a href="#p5.5.1">5.5.1. Types of records archived</a></li>
+      <li><a href="#p5.5.2">5.5.2. Retention period for archive</a></li>
+      <li><a href="#p5.5.3">5.5.3. Protection of archive</a></li>
+      <li><a href="#p5.5.4">5.5.4. Archive backup procedures</a></li>
+      <li><a href="#p5.5.5">5.5.5. Requirements for time-stamping of records</a></li>
+      <li><a href="#p5.5.6">5.5.6. Archive collection system (internal or external)</a></li>
+      <li><a href="#p5.5.7">5.5.7. Procedures to obtain and verify archive information</a></li>
+    </ul>--></li>
+    <li><a href="#p5.6">5.6. Key changeover</a></li>
+    <li><a href="#p5.7">5.7. Compromise and disaster recovery</a><!--<ul>
+      <li><a href="#p5.7.1">5.7.1. Incident and compromise handling procedures</a></li>
+      <li><a href="#p5.7.2">5.7.2. Computing resources, software, and/or data are corrupted</a></li>
+      <li><a href="#p5.7.3">5.7.3. Entity private key compromise procedures</a></li>
+      <li><a href="#p5.7.4">5.7.4. Business continuity capabilities after a disaster</a></li>
+    </ul>--></li>
+    <li><a href="#p5.8">5.8. CA or RA termination</a></li>
+  </ul></li>
+  <li><a href="#p6">6. TECHNICAL SECURITY CONTROLS (11)</a><ul>
+    <li><a href="#p6.1">6.1. Key pair generation and installation</a><!--<ul>
+      <li><a href="#p6.1.1">6.1.1. Key pair generation</a></li>
+      <li><a href="#p6.1.2">6.1.2. Private key delivery to subscriber</a></li>
+      <li><a href="#p6.1.3">6.1.3. Public key delivery to certificate issuer</a></li>
+      <li><a href="#p6.1.4">6.1.4. CA public key delivery to relying parties</a></li>
+      <li><a href="#p6.1.5">6.1.5. Key sizes</a></li>
+      <li><a href="#p6.1.6">6.1.6. Public key parameters generation and quality checking</a></li>
+      <li><a href="#p6.1.7">6.1.7. Key usage purposes (as per X.509 v3 key usage field)</a></li>
+    </ul>--></li>
+    <li><a href="#p6.2">6.2. Private Key Protection and Cryptographic Module Engineering Controls</a><!--<ul>
+      <li><a href="#p6.2.1">6.2.1. Cryptographic module standards and controls</a></li>
+      <li><a href="#p6.2.2">6.2.2. Private key (n out of m) multi-person control</a></li>
+      <li><a href="#p6.2.3">6.2.3. Private key escrow</a></li>
+      <li><a href="#p6.2.4">6.2.4. Private key backup</a></li>
+      <li><a href="#p6.2.5">6.2.5. Private key archival</a></li>
+      <li><a href="#p6.2.6">6.2.6. Private key transfer into or from a cryptographic module</a></li>
+      <li><a href="#p6.2.7">6.2.7. Private key storage on cryptographic module</a></li>
+      <li><a href="#p6.2.8">6.2.8. Method of activating private key</a></li>
+      <li><a href="#p6.2.9">6.2.9. Method of deactivating private key</a></li>
+      <li><a href="#p6.2.10">6.2.10. Method of destroying private key</a></li>
+      <li><a href="#p6.2.11">6.2.11. Cryptographic Module Rating</a></li>
+    </ul>--></li>
+    <li><a href="#p6.3">6.3. Other aspects of key pair management</a><!--<ul>
+      <li><a href="#p6.3.1">6.3.1. Public key archival</a></li>
+      <li><a href="#p6.3.2">6.3.2. Certificate operational periods and key pair usage periods</a></li>
+    </ul>--></li>
+    <li><a href="#p6.4">6.4. Activation data</a><!--<ul>
+      <li><a href="#p6.4.1">6.4.1. Activation data generation and installation</a></li>
+      <li><a href="#p6.4.2">6.4.2. Activation data protection</a></li>
+      <li><a href="#p6.4.3">6.4.3. Other aspects of activation data</a></li>
+    </ul>--></li>
+    <li><a href="#p6.5">6.5. Computer security controls</a><!--<ul>
+      <li><a href="#p6.5.1">6.5.1. Specific computer security technical requirements</a></li>
+      <li><a href="#p6.5.2">6.5.2. Computer security rating</a></li>
+    </ul>--></li>
+    <li><a href="#p6.6">6.6. Life cycle technical controls</a><!--<ul>
+      <li><a href="#p6.6.1">6.6.1. System development controls</a></li>
+      <li><a href="#p6.6.2">6.6.2. Security management controls</a></li>
+      <li><a href="#p6.6.3">6.6.3. Life cycle security controls</a></li>
+    </ul>--></li>
+    <li><a href="#p6.7">6.7. Network security controls</a></li>
+    <li><a href="#p6.8">6.8. Time-stamping</a></li>
+  </ul></li>
+  <li><a href="#p7">7. CERTIFICATE, CRL, AND OCSP PROFILES</a><ul>
+    <li><a href="#p7.1">7.1. Certificate profile</a><!--<ul>
+      <li><a href="#p7.1.1">7.1.1. Version number(s)</a></li>
+      <li><a href="#p7.1.2">7.1.2. Certificate extensions</a></li>
+      <li><a href="#p7.1.3">7.1.3. Algorithm object identifiers</a></li>
+      <li><a href="#p7.1.4">7.1.4. Name forms</a></li>
+      <li><a href="#p7.1.5">7.1.5. Name constraints</a></li>
+      <li><a href="#p7.1.6">7.1.6. Certificate policy object identifier</a></li>
+      <li><a href="#p7.1.7">7.1.7. Usage of Policy Constraints extension</a></li>
+      <li><a href="#p7.1.8">7.1.8. Policy qualifiers syntax and semantics</a></li>
+      <li><a href="#p7.1.9">7.1.9. Processing semantics for the critical Certificate Policies extension</a></li>
+    </ul>--></li>
+    <li><a href="#p7.2">7.2. CRL profile</a><!--<ul>
+      <li><a href="#p7.2.1">7.2.1. Version number(s)</a></li>
+      <li><a href="#p7.2.2">7.2.2. CRL and CRL entry extensions</a></li>
+    </ul>--></li>
+    <li><a href="#p7.3">7.3. OCSP profile</a><!--<ul>
+      <li><a href="#p7.3.1">7.3.1. Version number(s)</a></li>
+      <li><a href="#p7.3.2">7.3.2. OCSP extensions</a></li>
+    </ul>--></li>
+  </ul></li>
+  <li><a href="#p8">8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS</a><ul>
+    <li><a href="#p8.1">8.1. Frequency or circumstances of assessment</a></li>
+    <li><a href="#p8.2">8.2. Identity/qualifications of assessor</a></li>
+    <li><a href="#p8.3">8.3. Assessor's relationship to assessed entity</a></li>
+    <li><a href="#p8.4">8.4. Topics covered by assessment</a></li>
+    <li><a href="#p8.5">8.5. Actions taken as a result of deficiency</a></li>
+    <li><a href="#p8.6">8.6. Communication of results</a></li>
+  </ul></li>
+  <li><a href="#p9">9. OTHER BUSINESS AND LEGAL MATTERS</a><ul>
+    <li><a href="#p9.1">9.1. Fees</a><!--<ul>
+      <li><a href="#p9.1.1">9.1.1. Certificate issuance or renewal fees</a></li>
+      <li><a href="#p9.1.2">9.1.2. Certificate access fees</a></li>
+      <li><a href="#p9.1.3">9.1.3. Revocation or status information access fees</a></li>
+      <li><a href="#p9.1.4">9.1.4. Fees for other services</a></li>
+      <li><a href="#p9.1.5">9.1.5. Refund policy</a></li>
+    </ul>--></li>
+    <li><a href="#p9.2">9.2. Financial responsibility</a><!--<ul>
+      <li><a href="#p9.2.1">9.2.1. Insurance coverage</a></li>
+      <li><a href="#p9.2.2">9.2.2. Other assets</a></li>
+      <li><a href="#p9.2.3">9.2.3. Insurance or warranty coverage for end-entities</a></li>
+    </ul>--></li>
+    <li><a href="#p9.3">9.3. Confidentiality of business information</a><!--<ul>
+      <li><a href="#p9.3.1">9.3.1. Scope of confidential information</a></li>
+      <li><a href="#p9.3.2">9.3.2. Information not within the scope of confidential information</a></li>
+      <li><a href="#p9.3.3">9.3.3. Responsibility to protect confidential information</a></li>
+    </ul>--></li>
+    <li><a href="#p9.4">9.4. Privacy of personal information</a><!--<ul>
+      <li><a href="#p9.4.1">9.4.1. Privacy plan</a></li>
+      <li><a href="#p9.4.2">9.4.2. Information treated as private</a></li>
+      <li><a href="#p9.4.3">9.4.3. Information not deemed private</a></li>
+      <li><a href="#p9.4.4">9.4.4. Responsibility to protect private information</a></li>
+      <li><a href="#p9.4.5">9.4.5. Notice and consent to use private information</a></li>
+      <li><a href="#p9.4.6">9.4.6. Disclosure pursuant to judicial or administrative process</a></li>
+      <li><a href="#p9.4.7">9.4.7. Other information disclosure circumstances</a></li>
+    </ul>--></li>
+    <li><a href="#p9.5">9.5. Intellectual property rights</a></li>
+    <li><a href="#p9.6">9.6. Representations and warranties</a><!--<ul>
+      <li><a href="#p9.6.1">9.6.1. CA representations and warranties</a></li>
+      <li><a href="#p9.6.2">9.6.2. RA representations and warranties</a></li>
+      <li><a href="#p9.6.3">9.6.3. Subscriber representations and warranties</a></li>
+      <li><a href="#p9.6.4">9.6.4. Relying party representations and warranties</a></li>
+      <li><a href="#p9.6.5">9.6.5. Representations and warranties of other participants</a></li>
+    </ul>--></li>
+    <li><a href="#p9.7">9.7. Disclaimers of warranties</a></li>
+    <li><a href="#p9.8">9.8. Limitations of liability</a></li>
+    <li><a href="#p9.9">9.9. Indemnities</a></li>
+    <li><a href="#p9.10">9.10. Term and termination</a><!--<ul>
+      <li><a href="#p9.10.1">9.10.1. Term</a></li>
+      <li><a href="#p9.10.2">9.10.2. Termination</a></li>
+      <li><a href="#p9.10.3">9.10.3. Effect of termination and survival</a></li>
+    </ul>--></li>
+    <li><a href="#p9.11">9.11. Individual notices and communications with participants</a></li>
+    <li><a href="#p9.12">9.12. Amendments</a><!--<ul>
+      <li><a href="#p9.12.1">9.12.1. Procedure for amendment</a></li>
+      <li><a href="#p9.12.2">9.12.2. Notification mechanism and period</a></li>
+      <li><a href="#p9.12.3">9.12.3. Circumstances under which OID must be changed</a></li>
+    </ul>--></li>
+    <li><a href="#p9.13">9.13. Dispute resolution provisions</a></li>
+    <li><a href="#p9.14">9.14. Governing law</a></li>
+    <li><a href="#p9.15">9.15. Compliance with applicable law</a></li>
+    <li><a href="#p9.16">9.16. Miscellaneous provisions</a><!--<ul>
+      <li><a href="#p9.16.1">9.16.1. Entire agreement</a></li>
+      <li><a href="#p9.16.2">9.16.2. Assignment</a></li>
+      <li><a href="#p9.16.3">9.16.3. Severability</a></li>
+      <li><a href="#p9.16.4">9.16.4. Enforcement (attorneys' fees and waiver of rights)</a></li>
+      <li><a href="#p9.16.5">9.16.5. Force Majeure</a></li>
+    </ul>--></li>
+  </ul></li>
+<!--
+  <li><a href="#def">Appendix A. Definitions</a><ul>
+    <li><a href="#dcrt">Certificate</a></li>
+    <li><a href="#dcac">CAcert</a></li>
+    <li><a href="#dusr">CAcert user</a></li>
+    <li><a href="#dreg">CAcert unassured user</a></li>
+    <li><a href="#dsub">CAcert subscriber</a></li>
+    <li><a href="#ddom">CAcert domain master</a></li>
+    <li><a href="#dorg">CAcert organisation administrator</a></li>
+    <li><a href="#dasd">CAcert assured user</a></li>
+    <li><a href="#dass">CAcert Assurer</a></li>
+    <li><a href="#drel">CAcert relying party</a></li>
+    <li><a href="#ddst">CAcert cert redistributors</a></li>
+    <li><a href="#dwrk">CAcert Contributions</a></li>
+    <li><a href="#dcon">CAcert Contributors</a></li>
+    <li><a href="#dacn">CAcert Authorized Contributor</a></li>
+  </ul></li>
+  <li><a href="#oths">Appendix B. Other Services</a></li>
+-->
+</ul>
+
+</font>
+
+
+
+
+<h2><a name="p1" id="p1">1. INTRODUCTION</a></h2>
+<p>This policy is structured according to <a href="http://www.ietf.org/rfc/rfc3647.txt">RFC 3647</a> chapter 4.</p>
+<!--<p class="tbd">TBD: &quot;To be discussed&quot; or &quot;to be done&quot;: Sections in green require some discussion or someone to fill the blanks.</p>-->
+
+<p>Version 0.10 2005/07/08</p>
+
+<h3><a name="p1.1" id="p1.1">1.1. Overview</a></h3>
+<p>This document describes the set of rules and procedures used by CAcert, the community Certification Authority (CA).</p>
+
+<h3><a name="p1.2" id="p1.2">1.2. Document name and identification</a></h3>
+<ul>
+  <li>OID assigned: 1.3.6.1.4.1.18506 (<a href="http://www.iana.org/assignments/enterprise-numbers">http://www.iana.org/assignments/enterprise-numbers</a></li>
+  <li>As of the 24th of July, 2003, CAcert Incorporated is an association registered under the laws of New South Wales, Australia. C.f. <a href="http://www.cacert.org/index.php?id=35"></a> and ASIC.</li>
+  <li>The Domain cacert.com and cacert.org can be looked up in the <a href="http://www.gkg.net/whois/">Whois</a> database. They are currently registered at GKG.NET</li>
+  <li><a href="http://www.cacert.org/docs/incorporation.jpg">Certificate of Incorporation as an Association</a></li>
+  <li>(* <a href="#imp">imp</a>) President: <a href="mailto:duane@cacert.org">Duane Groth</a>, Vice-President: <a href="mailto:markl@gasupnow.com">Mark Lipscombe</a></li>
+  <li>(* <a href="#imp">imp</a>) Contact: support AT cacert DOT org </li>
+  <li>(* <a href="#imp">imp</a>) Discussion Forum: <a href="http://lists.cacert.org/">mailing lists</a></li>
+  <li>(* <a href="#imp">imp</a>) IRC: irc.cacert.org #CAcert (ssl port 7000, non-ssl port 6667)</li>
+  <li>Home Page: <a href="http://www.cacert.org/">CAcert Inc: The Free Community Digital Certification Authority</a></li>
+<li>Physical address:<br>
+CAcert Inc.<br>
+P.O. Box 4107<br>
+Denistone East NSW 2112<br>
+Australia</li>
+</ul>
+
+<h3><a name="p1.3" id="p1.3">1.3. PKI participants</a></h3>
+
+<h4><a name="p1.3.1" id="p1.3.1">1.3.1. Certification authorities</a></h4>
+<p>CAcert does not issue certificates to external intermediate CA's under the present policy.</p>
+
+
+<h4><a name="p1.3.2" id="p1.3.2">1.3.2. Registration authorities</a></h4>
+<p>Entitled &quot;<a href="#dass">CAcert Assurer</a>&quot; or &quot;Trusted third Parties&quot;
+report the identification of users to CAcert.
+
+In addition, CAcert accepts CAs which are not operated by CAcert as RAs, by acknowledging a certificate with a certain amount of trust depending on the CPS of the other CA. 
+CAcert retains the right to introduce further methods of identification, but ensures, 
+that either a single identification is made reliable enough or multiple less reliable identifications have to be combined in a way defined by CAcert, satisfying CAcert minimum standards in all cases.</p>
+
+<h4><a name="p1.3.3" id="p1.3.3">1.3.3. Subscribers</a></h4>
+<p>CAcert issues certificate to <a href="#dreg">unassured users</a>, who fulfil the requirements for proper identification as defined in this document.</p>
+<p>CAcert issues certificates for individuals, businesses, governments, charities, associations, churches, schools, non-governmental organizations or other legitimate groups.</p> 
+
+
+<h4><a name="p1.3.4" id="p1.3.4">1.3.4. Relying parties</a></h4>
+<p>Everyone who uses certificates issued by CAcert either directly or indirectly can be a relying party.</p>
+
+<h4><a name="p1.3.5" id="p1.3.5">1.3.5. Other participants</a></h4>
+<p>Software vendors who integrate the certificate of CAcert into its software are also relying parties with a special role in the "Internet PKI". Please consult the licenses/policies/... of the root key distribution service you are using, before relying on a certificate.</p>
+
+
+<h3><a name="p1.4" id="p1.4">1.4. Certificate usage</a></h3>
+<p>The CPS applies to all CAcert PKI Participants, including CAcert, Assurers, Customers, Resellers, Subscribers and Relying Parties.</p>
+<p>CAcert operates 2 root certificates, one for assured users and one for unassured users. The root certificate for assured users is signed by the root certificate for unassured users (it is a sub-certificate).
+Relying parties can decide to trust only the assured certificates (by selecting the root for assured users as trust anchor), or all certificates (by selecting the root for unassured users as trust anchor).</p>
+
+<p>Each of the root certificates signs all of the different types of certificatese/p>
+
+<p>Each type of Certificate is generally appropriate for use with the corresponding applications defined in <a href="#p1.4.1">1.4.1</a>, unless prohibited in <a href="#p1.4.2">1.4.2</a>.
+Additionally, by contract or within a specific environment (e.g. company-internally), CAcert users are permitted to use Certificates for higher security applications.
+Any such usage, however, is limited to such entities and these entities shall be responsible for any harm or liability caused by such usage.</p>
+
+<p>See <a href="#p1.3.3">1.3.3 End entities</a></p>
+
+<h4><a name="p1.4.1" id="p1.4.1">1.4.1. Appropriate certificate uses</a></h4>
+<ul>
+<li>CAcert server certificates can be used for SSL/TLS Servers (Webservers, Mailservers, IM-Servers, ...).</li>
+<li>CAcert client certificates can be used with SSL/TLS Clients (Email-Clients, Browsers, ...) to authenticate with the servers.</li>
+<li>CAcert OpenPGP signatures can be used with OpenPGP compatible software to encrypt and sign files and emails.</li>
+<li>CAcert client certificates can be used to authenticate to Web-based Signature services.</li>
+</ul>
+
+<h4><a name="p1.4.2" id="p1.4.2">1.4.2. Prohibited certificate uses</a></h4>
+<p>CAcert certificates are not designed, intended, or authorized for use or resale as control equipment in hazardous circumstances or for uses requiring fail-safe performance such as the operation of nuclear facilities, aircraft navigation or communication systems, air traffic control systems, or weapons control systems, where failure could lead directly to death, personal injury, or severe environmental damage.</p>
+<p>Also, anonymous client certificates from CAcert unassured users shall not be used as proof of identity or as support of non-repudiation of identity or authority.</p>
+
+<p>CAcert certificates should not be used directly for digital signature applications. CAcert is working on the issue, to support the digital signature application in the future. Alternatively, CAcert users can use external digital signature services, which use the CAcert certificate only for realtime-authentication.</p>
+
+
+<h3><a name="p1.5" id="p1.5">1.5. Policy administration</a></h3>
+<p>See <a href="#p1.2">1.2 Identification</a></p>
+
+<h4><a name="p1.5.1" id="p1.5.1">1.5.1. Organization administering the document</a></h4>
+<p>See <a href="#p1.2">1.2 Identification</a></p>
+
+<h4><a name="p1.5.2" id="p1.5.2">1.5.2. Contact person</a></h4>
+<p>See <a href="#p1.2">1.2 Identification</a></p>
+
+<h4><a name="p1.5.3" id="p1.5.3">1.5.3. Person determining CPS suitability for the policy</a></h4>
+<p>See <a href="#p1.2">1.2 Identification</a></p>
+
+<h4><a name="p1.5.4" id="p1.5.4">1.5.4. CPS approval procedures</a></h4>
+<p>Changes are approved by a majority vote of the board members.</p>
+
+<p>If a rule has been made stricter than before, the status of affected people is not automatically degraded and their certificates are not invalidated, unless there is a reason to do so.</p>
+<p>If a rule has been relaxed, the status of affected people is not automatically upgraded unless they apply for this change.</p>
+
+<h3><a name="p1.5.5" id="p1.5.5">1.5.5 CPS updates</a></h3>
+<p>Paragraphs marked &quot;(* <a name="imp" id="imp">imp</a>)&quot; are implementation
+details as of the time when this policy was written or updated. They are provided just
+for information and shall not be legally binding.</p>
+<p>Change of such an implementation section or correction of spelling, grammar or html
+errors are not considered policy changes, but rather policy updates. CAcert retains the
+right to do them beyond the procedures defined in chapter 2.7.</p>
+
+
+<h3><a name="p1.6" id="p1.6">1.6. Definitions and acronyms</a></h3>
+<h4><a name="dcrt" id="dcrt">Certificate</a></h4>
+<p>A certificate is a piece of data used for cryptographic purposes, especially
+  digital signature and encryption in association with appropriate software, which
+  has to be provided by the user.</p>
+<h4><a name="dcac" id="dcac">CAcert</a></h4>
+<p>CAcert is a community project as defined under section <a href="#p1.2">1.2 Identification</a></p>
+<h4><a name="dusr" id="dusr">CAcert user</a></h4>
+<p>Everyone who visits CAcert or makes use of CAcert's data, programs or services.</p>
+<h4><a name="dreg" id="dreg">CAcert unassured user</a></h4>
+<p>A CAcert user, who registers at CAcert, but is not assured yet. The email address of these users is
+  checked by simple technical means. Currently only individuals, not legal entities can register.</p>
+<h4><a name="dsub" id="dsub">CAcert subscriber</a></h4>
+<p>A registered user who requests and receives a certificate</p>
+<h4><a name="ddom" id="ddom">CAcert domain masters</a></h4>
+<p>A CAcert subscriber, who has some level of control over the Internet domain name
+  he requests certificates for at CAcert. </p>
+<h4><a name="dorg" id="dorg">CAcert organisation administrator</a></h4>
+<p>A CAcert assurer, who is entitled by an organisation to vouch for the identity
+  of others users of the organisation.</p>
+<h4><a name="dasd" id="dasd">CAcert assured user</a></h4>
+<p>A CAcert registered user whose identity is verified by an Assurer or other
+  registration authorities.</p>
+<h4><a name="dass" id="dass">CAcert Assurer</a></h4>
+<p>A CAcert assured user who is authorized by CAcert to verify the identity
+  of other users.</p>
+<h4><a name="drel" id="drel">CAcert relying party</a></h4>
+<p>CAcert users, who base their decisions on the fact, that they have been shown
+  a certificate issued by CAcert.</p>
+<h4><a name="rel" id="rel">Relying party</a></h4>
+<p>Anyone who bases their decisions on a certificate.</p>
+<h4><a name="ddst" id="ddst">CAcert cert redistributors</a></h4>
+<p>CAcert users, who distribute CAcert's root or intermediate certificates in any
+way, including but not limited to delivering these certificates with their products,
+e.g. browsers, mailers or servers.</p>
+<h4><a name="dwrk" id="dwrk">CAcert Contributions</a></h4>
+<p>Contributions are any kind of intellectual property which find their way into
+the CAcert project with the consent of the copyright holder. Contributions can be
+code or content, whole modules, files or just a few lines in a larger file.</p>
+<p>Contributions can be submitted via any electronic or material path. Entries
+in CAcerts' systems, including, but not limited to the Content Management System
+or the Bug Tracking System are considered Contributions.</p> 
+<h4><a name="dcon" id="dcon">CAcert Contributors</a></h4>
+<p>Contributors are people or entities that make contributions to
+CAcert, either because they have been paid for this services, or
+donated them. Services include, but are not limited to
+any of their own graphical design work, any sections of their code,
+software, articles, files, or any other material given to CAcert, is
+considered a &quot;contribution&quot;.</p>  
+<h4><a name="dacn" id="dacn">CAcert Authorized Contributor</a></h4>
+<p>An authorized Contributor is a CAcert Contributor, who is
+authorized by CAcert to access one, several or all internal, non-public and
+potentially confidential parts of the CAcert web site, CAcert mailing lists
+or any non-public documents about CAcert.</p>
+
+
+
+
+
+
+<h2><a name="p2" id="p2">2. PUBLICATION AND REPOSITORY RESPONSIBILITIES</a></h2>
+<h3><a name="p2.1" id="p2.1">2.1. Repositories</a></h3>
+<p>CAcert operates its own repositories for the root certificates, issued certificates and CRLs.</p>
+
+<h3><a name="p2.2" id="p2.2">2.2. Publication of certification information</a></h3>
+<p>CAcert publishes it's root certificate and intermediate certificates if applicable, the latest CRL, a copy of this document, other relevant information.</p>
+
+<h3><a name="p2.3" id="p2.3">2.3. Time or frequency of publication</a></h3>
+<p>Certificates, CRLs and new information will be published as soon as they are issued. The subscribers acceptance of a certificate is not required.</p>
+
+<h3><a name="p2.4" id="p2.4">2.4. Access controls on repositories</a></h3>
+<p>There is read only web-access for everyone for the information mentioned under 2.1. Other information like registration information requires authentication.</p>
+<p>CAcert has implemented logical and physical security measures to prevent unauthorized persons from adding, deleting, or modifying repository entries.</p>
+
+
+<h2><a name="p3" id="p3">3. IDENTIFICATION AND AUTHENTICATION</a></h2>
+<h3><a name="p3.1" id="p3.1">3.1. Naming</a></h3>
+<p>CAcert assigns a Distinguished Name (DN, X.501) to each entity of a registered user.</p>
+
+<h4><a name="p3.1.1" id="p3.1.1">3.1.1. Types of names</a></h4>
+<p>In case of Client certificates the DN contains:</p>
+<ul>
+  <li>EmailAddress= One of the verified email addresses of the user.</li>
+  <li>cn= CAcert User Cert. Assured users can optionally have their common name here.</li>
+</ul>
+<p>Other information about the user is collected, but does not go into the certificate.</p>
+<p>In case of server certificates the DN contains:</p>
+<ul>
+ <li>cn= a host name out of a domain for which the registered user is a domain master.</li>
+ <li>All other fields are optional and must either match the cn or they must be empty</li>
+</ul>
+<p>For certificates of organisations, the following fields are used:</p>
+<ul>
+<li>OU: organizationalUnitName</li>
+<li>O: organizationName</li>
+<li>L: localityName</li>
+<li>ST: stateOrProvinceName</li>
+<li>C: countryName</li>
+<li>contact: EMail Adress of Contact</li>
+</ul>
+ 
+
+<h4><a name="p3.1.2" id="p3.1.2">3.1.2. Need for names to be meaningful</a></h4>
+<p>no stipulation</p>
+
+<h4><a name="p3.1.3" id="p3.1.3">3.1.3. Anonymity or pseudonymity of subscribers</a></h4>
+For unassured people, we are only providing anonym certificates.
+Assured people can decide, whether they want identifying or pseudonym certificates.
+In case of pseudonym certificates, the serial number of the certificate is the pseudonym identity.
+
+<h4><a name="p3.1.4" id="p3.1.4">3.1.4. Rules for interpreting various name forms</a></h4>
+<p>no stipulation</p>
+
+<h4><a name="p3.1.5" id="p3.1.5">3.1.5. Uniqueness of names</a></h4>
+<p>Some check for the uniqueness of users is done during registration (<span class="tbd">More precisely</span>)</p>
+<p>We never issue the same DN twice, unless a certificate with a DN is expired or revoked.</p>
+
+<h4><a name="p3.1.6" id="p3.1.6">3.1.6. Recognition, authentication, and role of trademarks</a></h4>
+<p>The organisation has to present their "Certificate of Incorporation" (or similar document proving the existence of the organisation) to authenticate itself.</p>
+<p>CAcert does not automatically verify the name appearing in the certificate, the domain name or any other fields against trademarks or intellectual property rights.
+CAcert can reject or suspend any certificate without liability in case of a dispute.</p>
+
+<h3><a name="p3.2" id="p3.2">3.2. Initial identity validation</a></h3>
+<h4><a name="p3.2.1" id="p3.2.1">3.2.1. Method to prove possession of private key</a></h4>
+<p>no stipulation</p>
+
+<h4><a name="p3.2.2" id="p3.2.2">3.2.2. Authentication of organization identity</a></h4>
+<p>c.f. <a href="#p1.3">1.3</a>: There are three steps involved in assuring the identity of an organization:
+1) The organization must authorize in writing a named real person to obtain a certificate in the common name (CN) of an organization.
+2) The authorized, named real person must become assured. 
+3) The authorized, named real person must present the following:     
+  a) The written authorization to obtain the certificate (item 1 above).     
+  b) Proof of legal existence of the organization, in most cases. Items 2 and 3 may be completed simultaneously.</p>
+
+<h4><a name="p3.2.3" id="p3.2.3">3.2.3. Authentication of individual identity</a></h4>
+<p>Individuals are assigned a level of trust on a scale from 0 to 200 points.
+The actual level of trust is not published, only if specified levels are passed.</p>
+<p>When passing 50 points, a registered user becomes an assured user.
+When passing 100 points an assured user becomes an Assurer.</p>
+<p>The points assigned depend on the trust reported by the RAs. The details how
+to gain trust points are subjected to change. C.f. <a href="#p5.2">5.2</a>.</p>
+
+<h4><a name="p3.2.4" id="p3.2.4">3.2.4. Non-verified subscriber information</a></h4>
+<p>N/A</p>
+
+<h4><a name="p3.2.5" id="p3.2.5">3.2.5. Validation of authority</a></h4>
+<p>Domain-owners have to proof the authority over the domain with an Email-ping to one of several standard email addresses of the domain, or one of the email addresses found in the the whois record of the domain.</p>
+
+<h4><a name="p3.2.6" id="p3.2.6">3.2.6. Criteria for interoperation</a></h4>
+<p>CAcert doesn't plan to issue certificates to subordinate CA's or other PKIs at this time.</p>
+
+<h3><a name="p3.3" id="p3.3">3.3. Identification and authentication for re-key requests</a></h3>
+<h4><a name="p3.3.1" id="p3.3.1">3.3.1. Identification and authentication for routine re-key</a></h4>
+<p>Authentication is done only once and does not expire normally. CAcert registered users will be issued certificates based on their current authentication status.</p>
+<p>(* <a href="#imp">imp</a>) Server Certificates of assured people expire after 2 Years</p>
+<p>(* <a href="#imp">imp</a>) Client Certificates of assured people expire after 1 Year</p>
+<p>(* <a href="#imp">imp</a>) Client Certificates of non-assured people expire after 6 Month</p> 
+<p>(* <a href="#imp">imp</a>) Client Certificates of non-assured people expire after 6 Month</p> 
+<p>(* <a href="#imp">imp</a>) OpenPGP Signatures expire after 1 Year</p>
+
+<h4><a name="p3.3.2" id="p3.3.2">3.3.2. Identification and authentication for re-key after revocation</a></h4>
+<p>New request</p>
+
+<h3><a name="p3.4" id="p3.4">3.4. Identification and authentication for revocation request</a></h3>
+<p>Done by the user via web interface.</p>
+
+
+
+
+
+<h2><a name="p4" id="p4">4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS (11)</a></h2>
+<h3><a name="p4.1" id="p4.1">4.1. Certificate Application</a></h3>
+
+<h4><a name="p4.1.1" id="p4.1.1">4.1.1. Who can submit a certificate application</a></h4>
+<p>Anyone who has web-browser capabilities and internet-access is eligible to request CAcert's services.</p>
+
+<h4><a name="p4.1.2" id="p4.1.2">4.1.2. Enrolment process and responsibilities</a></h4>
+<p>The user has to generate a key-pair, either with his browser (for client certificates), or manually (for server certificates). The user can decide to store the key-pair on the computer or on a hardware token.
+The private key is never sent to the CA, or anyone else.
+Then the certificate request is submitted on the CAcert.org website.
+The resulting certificate can be downloaded on the website, and is additionally sent by email.</p>
+
+<h3><a name="p4.2" id="p4.2">4.2. Certificate application processing</a></h3>
+<h4><a name="p4.2.1" id="p4.2.1">4.2.1. Performing identification and authentication functions</a></h4>
+The user is authenticated on the web-interface either with his username/passphrase or with his digital certificate.
+The user's identity is checked by an assurer or a trusted third party.
+The digital identity of the user is automatically checked by an email probe either to the email address for client certificates, or to one of the administrative email addresses for the domain in question.
+
+<h4><a name="p4.2.2" id="p4.2.2">4.2.2. Approval or rejection of certificate applications</a></h4>
+
+<h4><a name="p4.2.3" id="p4.2.3">4.2.3. Time to process certificate applications</a></h4>
+The certificate application process is completely automated, and should be finished in less than a minute.
+
+<h3><a name="p4.3" id="p4.3">4.3. Certificate issuance</a></h3>
+<p>Client certificates are issued to registered users (Persona CA) or to authenticated users.</p>
+<p>Server certificates are issued to domain masters.</p>
+
+<h4><a name="p4.3.1" id="p4.3.1">4.3.1. CA actions during certificate issuance</a></h4>
+There are no special actions during the certificate issuance.
+
+<h4><a name="p4.3.2" id="p4.3.2">4.3.2. Notification to subscriber by the CA of issuance of certificate</a></h4>
+The CA notifies the subscriber via email about the issuance of the certificate.
+
+<h3><a name="p4.4" id="p4.4">4.4. Certificate acceptance</a></h3>
+
+<h4><a name="p4.4.1" id="p4.4.1">4.4.1. Conduct constituting certificate acceptance</a></h4>
+The user does not need to explicitly accept the certificate. If the user does not accept the certificate,
+he has to revoke the certificate.
+
+<h4><a name="p4.4.2" id="p4.4.2">4.4.2. Publication of the certificate by the CA</a></h4>
+The CA may publish the issued certificates in a repository (Keyserver, LDAP, X.500, ...).
+
+<h4><a name="p4.4.3" id="p4.4.3">4.4.3. Notification of certificate issuance by the CA to other entities</a></h4>
+There are no external entities that are notified about issued certificates.
+
+<h3><a name="p4.5" id="p4.5">4.5. Key pair and certificate usage</a></h3>
+<h4><a name="p4.5.1" id="p4.5.1">4.5.1. Subscriber private key and certificate usage</a></h4>
+There are no special restrictions or responsibilities for the usage of the private key or the certificate usage.
+
+<h4><a name="p4.5.2" id="p4.5.2">4.5.2. Relying party public key and certificate usage</a></h4>
+<p>CAcert relying party assure that they inquired all details necessary to validate
+  their decision. This includes, but is not limited to the check of the presented
+  certificate against expiry time, current certificate revocation list (CRL),
+  certificate chain and the validity check of the certificates in the chain.</p>
+<p>The relying party is not freed from these responsibilities by the fact that a
+  redistributor included CAcerts' root or intermediate
+  certificate in a product that the relying party uses.</p>
+<p>CAcert does not recommend to use its certificates to secure transactions above $1.000 . 
+  If subscribers do so anyway, this may further restrict the liability of CAcert.</p>
+
+<h3><a name="p4.6" id="p4.6">4.6. Certificate renewal</a></h3>
+<h4><a name="p4.6.1" id="p4.6.1">4.6.1. Circumstance for certificate renewal</a></h4>
+A certificate can be renewed anytime.
+
+<h4><a name="p4.6.2" id="p4.6.2">4.6.2. Who may request renewal</a></h4>
+For personal certificates, the person issued the certificate may request the renewal of the certificate.
+For organisational certificates, any of the organisation-administrator my request the renewal of the certificate.
+
+<h4><a name="p4.6.3" id="p4.6.3">4.6.3. Processing certificate renewal requests</a></h4>
+The procedure of certificate renewal is similar to the initial certificate issuance. 
+The user has to login into the web-interface, and start the request there.
+The subject of the certificate is checked, whether the necessary conditions are still fulfilled.
+
+<h4><a name="p4.6.4" id="p4.6.4">4.6.4. Notification of new certificate issuance to subscriber</a></h4>
+The subscriber is notified with an email about the renewal of his certificate.
+
+<h4><a name="p4.6.5" id="p4.6.5">4.6.5. Conduct constituting acceptance of a renewal certificate</a></h4>
+There is no need to explicitly accept the renewed certificate.
+
+<h4><a name="p4.6.6" id="p4.6.6">4.6.6. Publication of the renewal certificate by the CA</a></h4>
+The CA may publish the renewed certificates in a repository.
+
+<h4><a name="p4.6.7" id="p4.6.7">4.6.7. Notification of certificate issuance by the CA to other entities</a></h4>
+There are no external entities that are notified of certificate renewal.
+
+<h3><a name="p4.7" id="p4.7">4.7. Certificate re-key</a></h3>
+<h4><a name="p4.7.1" id="p4.7.1">4.7.1. Circumstance for certificate re-key</a></h4>
+<p>A re-key request is a normal new-certificate request.</p>
+
+<h4><a name="p4.7.2" id="p4.7.2">4.7.2. Who may request certification of a new public key</a></h4>
+<p>N/A</p>
+<h4><a name="p4.7.3" id="p4.7.3">4.7.3. Processing certificate re-keying requests</a></h4>
+<p>N/A</p>
+<h4><a name="p4.7.4" id="p4.7.4">4.7.4. Notification of new certificate issuance to subscriber</a></h4>
+<p>N/A</p>
+<h4><a name="p4.7.5" id="p4.7.5">4.7.5. Conduct constituting acceptance of a re-keyed certificate</a></h4>
+<p>N/A</p>
+<h4><a name="p4.7.6" id="p4.7.6">4.7.6. Publication of the re-keyed certificate by the CA</a></h4>
+<p>N/A</p>
+<h4><a name="p4.7.7" id="p4.7.7">4.7.7. Notification of certificate issuance by the CA to other entities</a></h4>
+<p>N/A</p>
+
+<h3><a name="p4.8" id="p4.8">4.8. Certificate modification</a></h3>
+<h4><a name="p4.8.1" id="p4.8.1">4.8.1. Circumstance for certificate modification</a></h4>
+There is no way to modify a certificate. A new certificate has to be issued instead.
+
+<h4><a name="p4.8.2" id="p4.8.2">4.8.2. Who may request certificate modification</a></h4>
+<p>N/A</p>
+<h4><a name="p4.8.3" id="p4.8.3">4.8.3. Processing certificate modification requests</a></h4>
+<p>N/A</p>
+<h4><a name="p4.8.4" id="p4.8.4">4.8.4. Notification of new certificate issuance to subscriber</a></h4>
+<p>N/A</p>
+<h4><a name="p4.8.5" id="p4.8.5">4.8.5. Conduct constituting acceptance of modified certificate</a></h4>
+<p>N/A</p>
+<h4><a name="p4.8.6" id="p4.8.6">4.8.6. Publication of the modified certificate by the CA</a></h4>
+<p>N/A</p>
+<h4><a name="p4.8.7" id="p4.8.7">4.8.7. Notification of certificate issuance by the CA to other entities</a></h4>
+<p>N/A</p>
+
+<h3><a name="p4.9" id="p4.9">4.9. Certificate revocation and suspension</a></h3>
+<h4><a name="p4.9.1" id="p4.9.1">4.9.1. Circumstances for revocation</a></h4>
+<p>Private key compromised or certificate owner identified as fraudulent.</p>
+
+<h4><a name="p4.9.2" id="p4.9.2">4.9.2. Who can request revocation</a></h4>
+<p>The user for his own certificates. CAcert for fraudulent users.</p>
+
+<h4><a name="p4.9.3" id="p4.9.3">4.9.3. Procedure for revocation request</a></h4>
+<p>Web Interface for users, notification of CAcert for fraud.</p>
+
+<h4><a name="p4.9.4" id="p4.9.4">4.9.4. Revocation request grace period</a></h4>
+<p>not defined</p>
+
+<h4><a name="p4.9.5" id="p4.9.5">4.9.5. Time within which CA must process the revocation request</a></h4>
+The revocation in the Web Interface for users is automated, so the request should be handled in less than a minute.
+The notice of a fraudulent user must be processed by CAcert in less than one week.
+
+<h4><a name="p4.9.6" id="p4.9.6">4.9.6. Revocation checking requirement for relying parties</a></h4>
+<p>A relying party must verify a certificate against the most recent CRL issued, in order to validate the use of the certificate.</p>
+
+
+
+<h4><a name="p4.9.7" id="p4.9.7">4.9.7. CRL issuance frequency (if applicable)</a></h4>
+<p>CRLs are issued after every certificate revocation</p>
+
+<h4><a name="p4.9.8" id="p4.9.8">4.9.8. Maximum latency for CRLs (if applicable)</a></h4>
+<p>The maximum latency between revocation and CRL issuing is 1 hour.</p>
+
+<h4><a name="p4.9.9" id="p4.9.9">4.9.9. On-line revocation/status checking availability</a></h4>
+<p>A full OCSP responder is provided by CAcert under http://ocsp.cacert.org/</p>
+
+<h4><a name="p4.9.10" id="p4.9.10">4.9.10. On-line revocation checking requirements</a></h4>
+<p>no stipulation</p>
+
+<h4><a name="p4.9.11" id="p4.9.11">4.9.11. Other forms of revocation advertisements available</a></h4>
+<p>None</p>
+
+<h4><a name="p4.9.12" id="p4.9.12">4.9.12. Special requirements re key compromise</a></h4>
+<p>no stipulation</p>
+
+<h4><a name="p4.9.13" id="p4.9.13">4.9.13. Circumstances for suspension</a></h4>
+<p>Suspension of certificates is not available, only revocation.</p>
+
+<h4><a name="p4.9.14" id="p4.9.14">4.9.14. Who can request suspension</a></h4>
+<p>N/A</p>
+
+<h4><a name="p4.9.15" id="p4.9.15">4.9.15. Procedure for suspension request</a></h4>
+<p>N/A</p>
+
+<h4><a name="p4.9.16" id="p4.9.16">4.9.16. Limits on suspension period</a></h4>
+<p>N/A</p>
+
+<h3><a name="p4.10" id="p4.10">4.10. Certificate status services</a></h3>
+<h4><a name="p4.10.1" id="p4.10.1">4.10.1. Operational characteristics</a></h4>
+<p>An OCSP Responder is provided unter http://oscp.cacert.org/ .</p>
+<h4><a name="p4.10.2" id="p4.10.2">4.10.2. Service availability</a></h4>
+<p>OCSP is generally available on the internet. Due to the structure of the internet, the availability of the OCSP service
+can not be guaranteed at any client computer.</p>
+<h4><a name="p4.10.3" id="p4.10.3">4.10.3. Optional features</a></h4>
+<p>N/A</p>
+
+<h3><a name="p4.11" id="p4.11">4.11. End of subscription</a></h3>
+<p>The certificates expire automatically, if necessary, the certificates can be revoked by the user.
+
+<h3><a name="p4.12" id="p4.12">4.12. Key escrow and recovery</a></h3>
+<h4><a name="p4.12.1" id="p4.12.1">4.12.1. Key escrow and recovery policy and practices</a></h4>
+<p>CAcert does not offer a key escrow service.</p>
+<h4><a name="p4.12.2" id="p4.12.2">4.12.2. Session key encapsulation and recovery policy and practices</a></h4>
+<p>N/A</p>
+
+<h2><a name="p5" id="p5">5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS (11)</a></h2>
+<h3><a name="p5.1" id="p5.1">5.1. Physical controls</a></h3>
+<h4><a name="p5.1.1" id="p5.1.1">5.1.1. Site location and construction</a></h4>
+<p>The servers are located in a dedicated server housing center.</p>
+
+<h4><a name="p5.1.2" id="p5.1.2">5.1.2. Physical access</a></h4>
+<p>Physical access is restricted by door-locks and security-personnel</p>
+
+<h4><a name="p5.1.3" id="p5.1.3">5.1.3. Power and air conditioning</a></h4>
+<p>The power is maintained with a UPS and a power generator. Air conditioning is available</p>
+
+<h4><a name="p5.1.4" id="p5.1.4">5.1.4. Water exposures</a></h4>
+<p>The geographical region is not at risk of water exposures</p>
+
+<h4><a name="p5.1.5" id="p5.1.5">5.1.5. Fire prevention and protection</a></h4>
+<p>Fire detectors are installed</p>
+
+<h4><a name="p5.1.6" id="p5.1.6">5.1.6. Media storage</a></h4>
+<p>Sensitive data is always encrypted on external media.</p>
+
+<h4><a name="p5.1.7" id="p5.1.7">5.1.7. Waste disposal</a></h4>
+<p>Paper has to be shredded and burnt. Digital files have to be wiped with secure wipe programs.</p>
+
+<h4><a name="p5.1.8" id="p5.1.8">5.1.8. Off-site backup</a></h4>
+<p>CAcert has encrypted off-site backups</p>
+
+<h3><a name="p5.2" id="p5.2">5.2. Procedural controls</a></h3>
+<h4><a name="assure" id="assure">Registration and Trust Procedures</a></h4>
+<p>PKI doesn't have any inbuilt methods similar to PGP's Web of Trust to provide
+  peer to peer assurances, so to get round this CAcert Inc. was created to over
+  come this short fall and be able to provide a trust model for peer to peer trust.</p>
+<p>This is accomplished by several means.</p>
+<ul>
+  <li>All users are required to register.</li>
+  <li>During the registration process users are asked to supply information about
+  themselves:
+  <ul>
+<!--    <li>a unique ID number issued to them by their Government;</li> NOT ANYMORE-->
+    <li>a valid working email before their account is enabled;</li>
+    <li>personal information such as Date of Birth, Phone Number, and Questions
+    for Password Retrieval.</li>
+  </ul>
+  </li>
+  <li>To have trust points issued in a face to face meeting there is strict guidelines
+  on how this must be achieved to be recognised by CAcert:
+  <ul>
+    <li>the person issuing the trust points must see 2 forms of photo ID:
+    <br>
+    At least one photo ID must be issued by a government body.
+    Acceptable forms of ID include Passports, Drivers Licenses and ID Cards</li>
+  </ul>
+  </li>
+</ul>
+<h4><a name="email" id="email">Email and Client Certificate Procedures</a></h4>
+<p>Email addresses are verified and certificates issued in the following manner:</p>
+<ul>
+  <li>System generates a unique, hard to guess MD5 string from characters in /dev/random</li>
+  <li>System generates a link using the MD5 string and sends to the user an email.</li>
+  <li>Once the user receives the email, they simply click on the URL to verify
+  they have control of that email account.</li>
+  <li>Once the email is verified the user is then free to generate certificates
+  based on that account</li>
+  <li>All fields in certificates are generated by the system, based on information
+  stored in the database.</li>
+  <li>Names only appear on certificates once 50 trust points have been earned,
+  and the person has proved their identity.</li>
+</ul>
+<h4><a name="server" id="server">Server Certificate Procedures</a></h4>
+<p>Before the system will issue server certificates to users, the user must prove
+  similar to the email verification system that they have right to control that
+  domain, and any host or subdomains of the domain.</p>
+<p>This is achieved by the following:</p>
+<ul>
+  <li>The user places a request to be able to issue certificates for a domain.</li>
+  <li>The system generates a unique, hard to guess MD5 string from characters
+  in /dev/random.</li>
+  <li>The system generates a link using the MD5 string.</li>
+  <li>The user chooses from a list of predefined administration accounts (such
+  as postmaster@domain) or;</li>
+  <li>The user is given the option to use email accounts from whois records of
+  the domain.</li>
+  <li>The system sends a validation email to the chosen email account.</li>
+  <li>Once verified the user is able to create CSRs for hosts below the domain
+  in the CN field.</li>
+  <li>System verifies the fields and issues a signed certificate accordingly to
+  the user.</li>
+</ul>
+
+
+<h4><a name="p5.2.1" id="p5.2.1">5.2.1. Trusted roles</a></h4>
+<ul>
+<li>Trusted-Third-Party Assurance</li>
+<li>Assurers</li>
+<li>Support Personnel</li>
+<li>Developers</li>
+<li>System Administrator</li>
+</ul>
+
+<h4><a name="p5.2.2" id="p5.2.2">5.2.2. Number of persons required per task</a></h4>
+<p>For assurance, a minimum number of 2 Assurers are needed.</p>
+
+<h4><a name="p5.2.3" id="p5.2.3">5.2.3. Identification and authentication for each role</a></h4>
+<ul>
+<li>For Trusted-Third-Party Assurance, Bank managers and Notaries are trusted to proove the identity of the subjects.</li>
+<li>Assurers need to have minimum 100 points. An additional Assurer Test is planned, and will be a requirement when completed.</li>
+<li>Support Personnel needs to have Security Personnel Clearance</li>
+<li>Developers need to have Security Personnel Clearance and Secure Development Certification</li>
+<li>System administrators need to have Security Personnel Clearance</li> 
+</ul>
+<h4><a name="p5.2.4" id="p5.2.4">5.2.4. Roles requiring separation of duties</a></h4>
+<p>An audit (WebTrust, ...) of the CA must not be done by someone affiliated with CAcert (Board, Assurer, ...).</p>
+
+<h3><a name="p5.3" id="p5.3">5.3. Personnel controls</a></h3>
+<h4><a name="p5.3.1" id="p5.3.1">5.3.1. Qualifications, experience, and clearance requirements</a></h4>
+<ul>
+<li>Assurers need to have minimum 100 points in the CAcert Web-of-Trust. An additional Assurer Test is planned, and will be a requirement when completed.</li>
+<li>Developers need to proof knowledge and practice in Secure Development Practices</li>
+</ul>
+<h4><a name="p5.3.2" id="p5.3.2">5.3.2. Background check procedures</a></h4>
+<p>Support Personnel, Developers and System administrators have to undergo a detailed background check:</p>
+
+<ul>
+ <li>Knowledge checks (decent knowledge on the following topics has to be queried)</li>
+ <ul>
+  <li>Secure programming (applies only for developers, and partly for administrators)</li>
+  <li>Responsibilities brought by the role</li>
+ </ul>
+ <li>Trustworthiness</li>
+ <ul>
+  <li>Any information the person gives, should be cross-checked, and verified.  </li>
+  <li>Lie-detection: Any detected lies makes the person untrustworthy.</li>
+ </ul>
+ <li>Risk and Liability</li>
+ <ul>
+  <li>Is the person able and willing to accept the risk and liability coming from the role?</li>
+ </ul>
+ <li>Identity</li>
+ <ul>
+  <li>The identity of the person has to be checked. (Assurer-Status)</li>
+  <li>The location of the person has to be checked. (Where does he/she live?)</li>
+ </ul>
+ <li>Persuasion-Resistance</li>
+ <ul>
+  <li>Social-Engineering</li>
+  <li>Family</li>
+ </ul>
+</ul>
+
+<h4><a name="p5.3.3" id="p5.3.3">5.3.3. Training requirements</a></h4>
+<p>There are no training requirements.</p>
+
+<h4><a name="p5.3.4" id="p5.3.4">5.3.4. Retraining frequency and requirements</a></h4>
+<p>N/A</p>
+
+<h4><a name="p5.3.5" id="p5.3.5">5.3.5. Job rotation frequency and sequence</a></h4>
+<p>There is no planned job rotation yet.</p>
+
+<h4><a name="p5.3.6" id="p5.3.6">5.3.6. Sanctions for unauthorized actions</a></h4>
+<p>In case of unauthorized, grossly negligent or otherwise damaging actions, CAcert can revoke
+the authorization of a person, and the taken actions that were done, as far as possible.
+
+<h4><a name="p5.3.7" id="p5.3.7">5.3.7. Independent contractor requirements</a></h4>
+<p>There are no independent contractors.</p>
+
+<h4><a name="p5.3.8" id="p5.3.8">5.3.8. Documentation supplied to personnel</a></h4>
+<p>CAcert is supplying documentation about general security and social engineering to its personnel</p>
+
+<h3><a name="p5.4" id="p5.4">5.4. Audit logging procedures</a></h3>
+
+<h4><a name="p5.4.1" id="p5.4.1">5.4.1. Types of events recorded</a></h4>
+<p>The system is using the common Linux syslog facilities:</p>
+<ul>
+<li>Access and errors from the webserver</li>
+<li>Server starting and stopping</li>
+<li>Mails sent through the mailserver</li>
+</ul>
+
+<h4><a name="p5.4.2" id="p5.4.2">5.4.2. Frequency of processing log</a></h4>
+<p>The events are stored, and only processed on manual demand</p>
+
+<h4><a name="p5.4.3" id="p5.4.3">5.4.3. Retention period for audit log</a></h4>
+<p>The log files are being archived for at least 6 month.</p>
+
+<h4><a name="p5.4.4" id="p5.4.4">5.4.4. Protection of audit log</a></h4>
+<p>The access to the audit logs is secured with file permissions, so that only the system
+administrators have access to the logs.</p>
+
+<h4><a name="p5.4.5" id="p5.4.5">5.4.5. Audit log backup procedures</a></h4>
+<p>The log-files are automatically backup´d daily to a backup-server.</p>
+
+<h4><a name="p5.4.6" id="p5.4.6">5.4.6. Audit collection system (internal vs. external)</a></h4>
+<p>N/A</p>
+
+<h4><a name="p5.4.7" id="p5.4.7">5.4.7. Notification to event-causing subject</a></h4>
+<p>The administrator decides on a case-by-case basis,
+whether it makes sense to notify the event-causing subject.</p>
+
+<h4><a name="p5.4.8" id="p5.4.8">5.4.8. Vulnerability assessments</a></h4>
+
+
+<h3><a name="p5.5" id="p5.5">5.5. Records archival</a></h3>
+<h4><a name="p5.5.1" id="p5.5.1">5.5.1. Types of records archived</a></h4>
+<p>The users, organisations, all issued certificates and signatures, and all assurances are recorded</p>
+
+<h4><a name="p5.5.2" id="p5.5.2">5.5.2. Retention period for archive</a></h4>
+<p>The data retention period is planned to be 30 years, to be usable for digital signature applications</p>
+
+<h4><a name="p5.5.3" id="p5.5.3">5.5.3. Protection of archive</a></h4>
+<p>The data is stored in a live-database</p>
+
+<h4><a name="p5.5.4" id="p5.5.4">5.5.4. Archive backup procedures</a></h4>
+<p>The data is regularly backup´d on encrypted media</p>
+
+<h4><a name="p5.5.5" id="p5.5.5">5.5.5. Requirements for time-stamping of records</a></h4>
+<p>The records are timestamped with a time-synchronized server</p>
+
+<h4><a name="p5.5.6" id="p5.5.6">5.5.6. Archive collection system (internal or external)</a></h4>
+<h4><a name="p5.5.7" id="p5.5.7">5.5.7. Procedures to obtain and verify archive information</a></h4>
+<p>There are no special procedures to obtain archive information</p>
+
+<h3><a name="p5.6" id="p5.6">5.6. Key changeover</a></h3>
+<h3><a name="p5.7" id="p5.7">5.7. Compromise and disaster recovery</a></h3>
+<h4><a name="p5.7.1" id="p5.7.1">5.7.1. Incident and compromise handling procedures</a></h4>
+<p>In case of emergency, the system administrators may shut-down the services, until the integrity and security of the system is ensured again</p>
+<p>All passwords of the affected systems have to be changed.</p>
+<p>The log-files and the data of the backups have to be compared with the current data to detect modifications.</p>
+<p>The identity of the intruder has to be determined.</p>
+<p>The motives of the intruder have to be determined.</p>
+
+<p>In case of a leak, all unauthorized copies of the data have to tracked down, and securely deleted (wiped, ...).</p>
+
+<h4><a name="p5.7.2" id="p5.7.2">5.7.2. Computing resources, software, and/or data are corrupted</a></h4>
+<p>In the case of corrupted data, a backup can be restored, and the users have to be informed that any changes in the mean time are gone.</p>
+
+<h4><a name="p5.7.3" id="p5.7.3">5.7.3. Entity private key compromise procedures</a></h4>
+<p>In the unlikely case of a private key compromise, first an investigation of the security leak has to be done.
+Afterwards, a new key is generated, published on the website, and distributed to known relying parties like the browser vendors, ...</p>
+
+<h4><a name="p5.7.4" id="p5.7.4">5.7.4. Business continuity capabilities after a disaster</a></h4>
+<p>In case of a disaster, a new system will have to be setup, and the off-site backups restored.</p>
+
+<h3><a name="p5.8" id="p5.8">5.8. CA or RA termination</a></h3>
+<p>When an Assurer terminates the operation, the remaining documents have to be sent to CAcert.</p>
+
+<h2><a name="p6" id="p6">6. TECHNICAL SECURITY CONTROLS (11)</a></h2>
+<h3><a name="p6.1" id="p6.1">6.1. Key pair generation and installation</a></h3>
+<h4><a name="p6.1.1" id="p6.1.1">6.1.1. Key pair generation</a></h4>
+<p>The Key Pair is always generated by the user, either offline for server certificates, or online with the Browser.</p>
+
+<h4><a name="p6.1.2" id="p6.1.2">6.1.2. Private key delivery to subscriber</a></h4>
+<p>CAcert never generates Private Keys for users, or delivers them to users.</p>
+
+<h4><a name="p6.1.3" id="p6.1.3">6.1.3. Public key delivery to certificate issuer</a></h4>
+<p>For OpenPGP key-signatures, the public key together with the certificates is available in the signed key.</p>
+
+<h4><a name="p6.1.4" id="p6.1.4">6.1.4. CA public key delivery to relying parties</a></h4>
+<p>The CA public key is always published on the website of CAcert.</p>
+<p>Additionally the CA public key can be included in Third-Party Software like Browsers, Email-Clients, ...</p>
+
+<h4><a name="p6.1.5" id="p6.1.5">6.1.5. Key sizes</a></h4>
+<p>The minimum keysize for OpenPGP keys is 1024 Bit.</p>
+<p>The minimum keysize for X.509 keys is 1024 Bit.</p>
+
+<h4><a name="p6.1.6" id="p6.1.6">6.1.6. Public key parameters generation and quality checking</a></h4>
+<p>CAcert conforms to the ETSI SR 002 176:
+<a href="http://webapp.etsi.org/action\PU/20030401/sr_002176v010101p.pdf">http://webapp.etsi.org/action\PU/20030401/sr_002176v010101p.pdf</a>
+</p>
+
+<h4><a name="p6.1.7" id="p6.1.7">6.1.7. Key usage purposes (as per X.509 v3 key usage field)</a></h4>
+<p>The CAcert root certificate is a general purpose certificate.</p>
+
+<h3><a name="p6.2" id="p6.2">6.2. Private Key Protection and Cryptographic Module Engineering Controls</a></h3>
+<p><a href="http://www.cacert.org/help.php?id=7">CAcert Root key protection</a></p>
+
+<h4><a name="p6.2.1" id="p6.2.1">6.2.1. Cryptographic module standards and controls</a></h4>
+<p>CAcert is using FIPS 140 minimum Level 2 certified systems.</p>
+
+<h4><a name="p6.2.2" id="p6.2.2">6.2.2. Private key (n out of m) multi-person control</a></h4>
+<p>N/A</p>
+
+<h4><a name="p6.2.3" id="p6.2.3">6.2.3. Private key escrow</a></h4>
+<p>N/A</p>
+
+<h4><a name="p6.2.4" id="p6.2.4">6.2.4. Private key backup</a></h4>
+<p>The private key is backuped off-site encrypted.</p>
+
+<h4><a name="p6.2.5" id="p6.2.5">6.2.5. Private key archival</a></h4>
+<p>N/A</p>
+
+<h4><a name="p6.2.6" id="p6.2.6">6.2.6. Private key transfer into or from a cryptographic module</a></h4>
+<p>N/A</p>
+
+<h4><a name="p6.2.7" id="p6.2.7">6.2.7. Private key storage on cryptographic module</a></h4>
+<p>N/A</p>
+
+<h4><a name="p6.2.8" id="p6.2.8">6.2.8. Method of activating private key</a></h4>
+<p>N/A</p>
+
+<h4><a name="p6.2.9" id="p6.2.9">6.2.9. Method of deactivating private key</a></h4>
+<p>N/A</p>
+
+<h4><a name="p6.2.10" id="p6.2.10">6.2.10. Method of destroying private key</a></h4>
+<p>N/A</p>
+
+<h4><a name="p6.2.11" id="p6.2.11">6.2.11. Cryptographic Module Rating</a></h4>
+<p>N/A</p>
+
+<h3><a name="p6.3" id="p6.3">6.3. Other aspects of key pair management</a></h3>
+<h4><a name="p6.3.1" id="p6.3.1">6.3.1. Public key archival</a></h4>
+<p>N/A</p>
+<h4><a name="p6.3.2" id="p6.3.2">6.3.2. Certificate operational periods and key pair usage periods</a></h4>
+<p>N/A</p>
+
+<h3><a name="p6.4" id="p6.4">6.4. Activation data</a></h3>
+<h4><a name="p6.4.1" id="p6.4.1">6.4.1. Activation data generation and installation</a></h4>
+<p>N/A</p>
+<h4><a name="p6.4.2" id="p6.4.2">6.4.2. Activation data protection</a></h4>
+<p>N/A</p>
+<h4><a name="p6.4.3" id="p6.4.3">6.4.3. Other aspects of activation data</a></h4>
+<p>N/A</p>
+
+<h3><a name="p6.5" id="p6.5">6.5. Computer security controls</a></h3>
+<h4><a name="p6.5.1" id="p6.5.1">6.5.1. Specific computer security technical requirements</a></h4>
+<p>N/A</p>
+<h4><a name="p6.5.2" id="p6.5.2">6.5.2. Computer security rating</a></h4>
+<p>N/A</p>
+
+<h3><a name="p6.6" id="p6.6">6.6. Life cycle technical controls</a></h3>
+<h4><a name="p6.6.1" id="p6.6.1">6.6.1. System development controls</a></h4>
+<p>N/A</p>
+<h4><a name="p6.6.2" id="p6.6.2">6.6.2. Security management controls</a></h4>
+<p>N/A</p>
+<h4><a name="p6.6.3" id="p6.6.3">6.6.3. Life cycle security controls</a></h4>
+<p>N/A</p>
+
+<h3><a name="p6.7" id="p6.7">6.7. Network security controls</a></h3>
+<p>There are both network firewalls and server based firewalls to secure the systems.</p>
+<h3><a name="p6.8" id="p6.8">6.8. Time-stamping</a></h3>
+<p>CAcert uses at least NTP time-synchronisation on every sub-component as a trusted time sources.</p>
+
+<h2><a name="p7" id="p7">7. CERTIFICATE, CRL, AND OCSP PROFILES</a></h2>
+<h3><a name="p7.1" id="p7.1">7.1. Certificate profile</a></h3>
+<h4><a name="p7.1.1" id="p7.1.1">7.1.1. Version number(s)</a></h4>
+<p>(<a href="#imp">imp</a>): X.509 v3</p>
+
+<h4><a name="p7.1.2" id="p7.1.2">7.1.2. Certificate extensions</a></h4>
+<p>Client certificates do not include extensions.</p>
+<p>Server certificates include the following extensions: keyUsage=digitalSignature,keyEncipherment extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC</p>
+<p>Code-Signing certificates include the following extensions: keyUsage=digitalSignature,keyEncipherment extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC</p>
+
+
+<h4><a name="p7.1.3" id="p7.1.3">7.1.3. Algorithm object identifiers</a></h4>
+<p>no stipulation</p>
+
+<h4><a name="p7.1.4" id="p7.1.4">7.1.4. Name forms</a></h4>
+<p class="tbd">Is this the same as <a href="#p3.1.1">3.1.1</a></p>
+
+<h4><a name="p7.1.5" id="p7.1.5">7.1.5. Name constraints</a></h4>
+<p class="tbd">Is this the same as <a href="#p3.1.1">3.1.1</a></p>
+
+<h4><a name="p7.1.6" id="p7.1.6">7.1.6. Certificate policy object identifier</a></h4>
+<p>The Policy OID will be a subkey of the key specified under <a href="#p1.2">1.2</a></p>
+
+<h4><a name="p7.1.7" id="p7.1.7">7.1.7. Usage of Policy Constraints extension</a></h4>
+<p>no stipulation</p>
+
+<h4><a name="p7.1.8" id="p7.1.8">7.1.8. Policy qualifiers syntax and semantics</a></h4>
+<p>no stipulation</p>
+
+<h4><a name="p7.1.9" id="p7.1.9">7.1.9. Processing semantics for the critical Certificate Policies extension</a></h4>
+<p>no stipulation</p>
+
+
+<h3><a name="p7.2" id="p7.2">7.2. CRL profile</a></h3>
+<h4><a name="p7.2.1" id="p7.2.1">7.2.1. Version number(s)</a></h4>
+<p>(<a href="#imp">imp</a>): X.509 v2</p>
+
+<h4><a name="p7.2.2" id="p7.2.2">7.2.2. CRL and CRL entry extensions</a></h4>
+
+<h3><a name="p7.3" id="p7.3">7.3. OCSP profile</a></h3>
+<h4><a name="p7.3.1" id="p7.3.1">7.3.1. Version number(s)</a></h4>
+<p>OCSP Version 1</p>
+<h4><a name="p7.3.2" id="p7.3.2">7.3.2. OCSP extensions</a></h4>
+<p>N/A</p>
+
+<h2><a name="p8" id="p8">8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS</a></h2>
+<p>CAcert declares to operate in compliance with this CPS.</p>
+<p>If you want to contribute an audit for free or at a nominal charge, contact CAcert.</p>
+
+<h3><a name="p8.1" id="p8.1">8.1. Frequency or circumstances of assessment</a></h3>
+<p>P</p>
+
+<h3><a name="p8.2" id="p8.2">8.2. Identity/qualifications of assessor</a></h3>
+<p>P</p>
+
+<h3><a name="p8.3" id="p8.3">8.3. Assessor's relationship to assessed entity</a></h3>
+<p>P</p>
+
+<h3><a name="p8.4" id="p8.4">8.4. Topics covered by assessment</a></h3>
+<p>P</p>
+
+<h3><a name="p8.5" id="p8.5">8.5. Actions taken as a result of deficiency</a></h3>
+<p>P</p>
+
+<h3><a name="p8.6" id="p8.6">8.6. Communication of results</a></h3>
+<p>CAcert will publish the results of an audit on the CAcert.org website when it is available.</p>
+
+<h2><a name="p9" id="p9">9. OTHER BUSINESS AND LEGAL MATTERS</a></h2>
+<h3><a name="p9.1" id="p9.1">9.1. Fees</a></h3>
+<p>Registration and certificate lifetime services (issue, revoke, check) are free,
+but CAcert retains the right to charge nominal fees for additional services, e.g. the TTP programm, or other services.
+Due to the nominal nature of these fees, refund is usually not provided.</p>
+<p>Membership is appreciated but not required to use CAcert services. Membership fees apply.</p>
+
+<h4><a name="p9.1.1" id="p9.1.1">9.1.1. Certificate issuance or renewal fees</a></h4>
+<p>There are no certificate issuance or renewal fees.</p>
+<h4><a name="p9.1.2" id="p9.1.2">9.1.2. Certificate access fees</a></h4>
+<p>There are no certificate access fess.</p>
+<h4><a name="p9.1.3" id="p9.1.3">9.1.3. Revocation or status information access fees</a></h4>
+<p>There are no revocation or status information access fees.</p>
+
+<h4><a name="p9.1.4" id="p9.1.4">9.1.4. Fees for other services</a></h4>
+<p>A trusted third party assurance directly from CAcert.org costs 10.- USD</p>
+<h4><a name="p9.1.5" id="p9.1.5">9.1.5. Refund policy</a></h4>
+<p>A refund of the membership fees is not possible.</p>
+
+<h3><a name="p9.2" id="p9.2">9.2. Financial responsibility</a></h3>
+<p>No financial responsibility is accepted.</p>
+
+<h4><a name="p9.2.1" id="p9.2.1">9.2.1. Insurance coverage</a></h4>
+<p>N/A</p>
+<h4><a name="p9.2.2" id="p9.2.2">9.2.2. Other assets</a></h4>
+<p>N/A</p>
+
+<h4><a name="p9.2.3" id="p9.2.3">9.2.3. Insurance or warranty coverage for end-entities</a></h4>
+<p>N/A</p>
+
+<h3><a name="p9.3" id="p9.3">9.3. Confidentiality of business information</a></h3>
+
+<h4><a name="p9.3.1" id="p9.3.1">9.3.1. Scope of confidential information</a></h4>
+<h4><a name="p9.3.2" id="p9.3.2">9.3.2. Information not within the scope of confidential information</a></h4>
+<h4><a name="p9.3.3" id="p9.3.3">9.3.3. Responsibility to protect confidential information</a></h4>
+
+<h3><a name="p9.4" id="p9.4">9.4. Privacy of personal information</a></h3>
+<p class="tbd">c.f <a href="http://www.cacert.org/index.php?id=10">privacy statement</a></p>
+
+<h4><a name="p9.4.1" id="p9.4.1">9.4.1. Privacy plan</a></h4>
+<h4><a name="p9.4.2" id="p9.4.2">9.4.2. Information treated as private</a></h4>
+<h4><a name="p9.4.3" id="p9.4.3">9.4.3. Information not deemed private</a></h4>
+<h4><a name="p9.4.4" id="p9.4.4">9.4.4. Responsibility to protect private information</a></h4>
+<h4><a name="p9.4.5" id="p9.4.5">9.4.5. Notice and consent to use private information</a></h4>
+<h4><a name="p9.4.6" id="p9.4.6">9.4.6. Disclosure pursuant to judicial or administrative process</a></h4>
+<h4><a name="p9.4.7" id="p9.4.7">9.4.7. Other information disclosure circumstances</a></h4>
+
+<h3><a name="p9.5" id="p9.5">9.5. Intellectual property rights</a></h3>
+<p>We are committed to the <a href="http://www.fsf.org/philosophy/free-sw.html">philosophy of free software</a>,
+but non of the <a href="http://www.opensource.org/licenses/index.php">Open Source Initiative OSI - Licensing</a>
+perfectly matches the mix of various forms of intellectual property this
+site consists of, including but not limited to code, content, data, images,
+design elements. Therefore the terms of <a href="http://www.gnu.org/copyleft/gpl.html">GPL</a> will apply to
+all code which contains such a comment and <a href="http://www.gnu.org/copyleft/fdl.html">FDL</a> will apply
+to all content, which contains such a comment. Elements without such a comment are CAcert proprietary and are
+not free for distribution. This affects especially the CAcert logo and other elements, which give CAcert its
+identity. In addition to the GPL/FDL rules, you have to ensure your set up is clearly distinguishable
+from the original CAcert site and cannot be mistaken for the original.</p>
+<!-- <p>Teus suggestion</p>
+<ul>
+  <li>you do not want code split</li>
+  <li>you do not want copyright (acknowledgement) violation</li>
+  <li>you want feedback and the free use of the feedback</li>
+  <li>you want acknowledgement</li>
+  <li>you do not want claims for damages caused by usage of software (you do not want to be bothered...)</li>
+  <li>do you want a share in the profit?</li>
+</ul> -->
+
+<h5><a name="rcon" id="rcon">CAcert Contributors</a></h5>
+<p>The contributor assures that the material he contributes is his
+intellectual property or he has the right to use it for his contribution.</p>
+<h6><a name="cpyconp" id="cpyconp">Paid work</a></h6>
+<p>All rights are granted to CAcert, which is covered by payment for
+services rendered</p>
+<h6><a name="cpyconu" id="cpyconu">Unpaid work</a></h6>
+<p>The contributor grants CAcert Inc. the non-exclusive right to use any
+contribution, without any obligations of any licenses, such as the
+GPL's clause about full disclosure. The contributor has the right to
+reuse any work for other projects and under other licenses, but this
+right is limited to any actual contribution. Simply making
+modifications does not give rights over any greater entity or the site
+in general. (c.f. <a href="#dwrk">Contributions</a></p> 
+
+
+<h3><a name="p9.6" id="p9.6">9.6. Representations and warranties</a></h3>
+
+<h4><a name="p9.6.1" id="p9.6.1">9.6.1. CA representations and warranties</a></h4>
+<p>CAcert is freed from any liabilities to the greatest
+  extend permitted by applicable laws. This includes, but is
+  not limited to restricting the liability to gross negligence
+  and intent.</p>
+
+<h4><a name="p9.6.2" id="p9.6.2">9.6.2. RA representations and warranties</a></h4>
+<p>RAs are freed from any liabilities to the greatest
+  extend permitted by applicable laws. This includes, but is
+  not limited to restricting the liability to gross negligence
+  and intent.</p>
+  
+<h4><a name="p9.6.3" id="p9.6.3">9.6.3. Subscriber representations and warranties</a></h4>
+<h4><a name="p9.6.4" id="p9.6.4">9.6.4. Relying party representations and warranties</a></h4>
+<h4><a name="p9.6.5" id="p9.6.5">9.6.5. Representations and warranties of other participants</a></h4>
+<h5><a name="liap" id="liap">paid</a></h5>
+<p>The contributor is at least liable for gross negligence and intent.
+Additional liabilities may be set out in an individual contracts.</p>
+<h5><a name="liau" id="liau">unpaid</a></h5>
+<p>The contributor will only be liable for gross negligence and intent.</p>
+
+
+<h3><a name="p9.7" id="p9.7">9.7. Disclaimers of warranties</a></h3>
+<h3><a name="p9.8" id="p9.8">9.8. Limitations of liability</a></h3>
+<h3><a name="p9.9" id="p9.9">9.9. Indemnities</a></h3>
+<h3><a name="p9.10" id="p9.10">9.10. Term and termination</a></h3>
+<h4><a name="p9.10.1" id="p9.10.1">9.10.1. Term</a></h4>
+<p>If CAcert should terminate its operation, the root cert and all user information will be deleted.</p>
+<p>If CAcert should be taken over by another organization, the board will decide if it's in the interest
+of the registered users to be converted to the new organization. Registered users will be notified about
+this change. A new root certificate will be issued.</p>
+
+
+<h4><a name="p9.10.2" id="p9.10.2">9.10.2. Termination</a></h4>
+<h4><a name="p9.10.3" id="p9.10.3">9.10.3. Effect of termination and survival</a></h4>
+
+<h3><a name="p9.11" id="p9.11">9.11. Individual notices and communications with participants</a></h3>
+<p>If CAcert should terminate its operation, the root cert and all user information will be deleted.</p>
+<p>If CAcert should be taken over by another organization, the board will decide if it's in the interest
+of the registered users to be converted to the new organization. Registered users will be notified about
+this change. A new root certificate will be issued.</p>
+
+
+<h3><a name="p9.12" id="p9.12">9.12. Amendments</a></h3>
+<h4><a name="p9.12.1" id="p9.12.1">9.12.1. Procedure for amendment</a></h4>
+<p>A change of this document requires:</p>
+<p>Users will not be warned in advance of changes to this document. Relevant changes will be published in the community as possible.</p>
+<p class="tbd">Alternatively: All CAcert registered users will be notified 1 month before the change becomes effective.</p>
+<p>Notification of CAcert cert redistributors depends on the contract we may have with them.</p>
+
+
+<h4><a name="p9.12.2" id="p9.12.2">9.12.2. Notification mechanism and period</a></h4>
+<p>This document might be mirrored to other sites or translated into different languages.
+  In case of differences the version on our main site <a href="http://www.cacert.org/">CAcert Inc.</a>
+  is valid.</p>
+
+<h4><a name="p9.12.3" id="p9.12.3">9.12.3. Circumstances under which OID must be changed</a></h4>
+
+<h3><a name="p9.13" id="p9.13">9.13. Dispute resolution provisions</a></h3>
+<ul>
+  <li>Inform CAcert that you consider your rights affected by CAcert and what your claims are.
+  Give CAcert reasonable time to evaluate the case. The actual time depends on the nature of the case.
+  Provide CAcert with all required information. Do intermediate inquiries to make sure that CAcert and
+  you aren't waiting for each other in a deadlock situation.</li>
+  <li>If the result is unsatisfactory for you, engage arbitration entities if applicable.</li>
+  <li>Inform CAcert that you will sue them if not offered a different solution.</li>
+  <li>Appeal to the court defined in 2.4.1</li>
+</ul>
+
+<h3><a name="p9.14" id="p9.14">9.14. Governing law</a></h3>
+<p>This policy is applicable under the law of New South Wales, Australia.</p>
+<p>If any term of this policy should be invalid under applicable laws, this term
+  should be replaced by the closest match according to applicable laws and the
+  validity of the other terms should not be affected.</p>
+<p>Legal disputes arising from the operation of the CAcert will be treated according to the laws of NSW Australia.</p>
+<p>Legal disputes arising from the operation of a CAcert Assurer will be treated according to the laws of the Assurers country.</p>
+<p>CAcert will provide information about its users if legally forced to do so.</p>
+
+
+<h3><a name="p9.15" id="p9.15">9.15. Compliance with applicable law</a></h3>
+<h3><a name="p9.16" id="p9.16">9.16. Miscellaneous provisions</a></h3>
+<h4><a name="p9.16.1" id="p9.16.1">9.16.1. Entire agreement</a></h4>
+<h4><a name="p9.16.2" id="p9.16.2">9.16.2. Assignment</a></h4>
+<h4><a name="p9.16.3" id="p9.16.3">9.16.3. Severability</a></h4>
+<h4><a name="p9.16.4" id="p9.16.4">9.16.4. Enforcement (attorneys' fees and waiver of rights)</a></h4>
+<h4><a name="p9.16.5" id="p9.16.5">9.16.5. Force Majeure</a></h4>
+
+
+
+
+
+
+
+
+<!--
+
+TODOTODOTODOTODOTODOTODO
+
+<h3><a name="p2.1" id="p2.1">2.1 Obligations</a></h3>
+<h5><a name="rusr" id="rusr">CAcert Users</a></h5>
+<p>Users who use material from CAcert for cryptographic purposes
+  assure that cryptography is not illegal according to laws applicable to these
+  users.</p>
+<p>You warrant that the Service shall not be used: (a) fraudulently or in connection with any criminal offence; or (b) to send, receive, upload, download, use or re-use any material which is offensive, abusive, indecent, defamatory, obscene, menacing, or in breach of copyright, confidence, privacy or any other rights; or (c) to cause annoyance, inconvenience or needless anxiety; or (d) to send unsolicited advertising or promotional material or any other unsolicited Information; or (e) other than in accordance with the use policies and rules of your ISP and any local, state, province, territory or federal laws that may be applicable to you.
+   You agree to be liable for all unauthorised use of the Service. In the event of such unauthorised use, CAcert Inc. can suspend or terminate partially or totally this Agreement, at its sole option. You agree to inform CAcert Inc. immediately if you have any reason to believe that there is likely to be a use of the service in any unauthorised way.</p> 
+<p>Users will not seek unauthorised access to elements of CAcert's
+data, site, database and/or information stored by it, beyond the
+access they have been granted by the CAcert regulations. Information must not be
+wilfully manipulated in any way without the express consent of CAcert or unlawfully
+altered.</p>
+
+<h5><a name="racn" id="racn">CAcert Authorized Contributor</a></h5>
+<p>An authorized contributor may not disclose non public information
+to any 3rd party without CAcert's express written consent. He is
+entitled to communicate user related information to the affected
+user if he took reasonable steps to verify his communication
+partner is actually the legal owner of this information.</p>
+
+<h4><a name="p2.1.1" id="p2.1.1">2.1.1 CA obligations</a></h4>
+<p>CAcert operates their service and distributes material in the hope that it
+  will be useful, but without any warranty; without even the implied warranty
+  of merchantability or fitness for a particular purpose.</p>
+  <p>Particularly CAcert issues certificates for CAcert registered users
+based on the information provided by the RA, revokes certificates based on
+the certificate owners requests and publishes the Certificate Revocation Lists (CRLs)</p>
+
+<h4><a name="p2.1.3" id="p2.1.3">2.1.3 Subscriber obligations</a></h4>
+<p>CAcert subscribers will provide accurate Data to CAcert and they issue a revocation request if their
+private key gets lost or becomes compromised.</p>
+<h5><a name="rdom" id="rdom">CAcert domain master</a></h5>
+<p>CAcert domain masters assure that they are legal owners of the domains they
+  request certificates for or are given the authority to do so by the domain owner.</p>
+<h5><a name="rasd" id="rasd">CAcert assured user</a></h5>
+<p>CAcert users assure that the statements they made towards CAcert or the CAcert
+  assurer are true and complete.</p>
+<h5><a name="rnot" id="rnot">Notification</a></h5>
+<p>Subscribers are notified hereby that electronic signatures can be legally binding.
+The extent to which they are trusted depends on local legislation. Specifically
+CAcert certificates do not enable you to do &quot;qualified signatures&quot;.
+That means that jurisdiction will decide on a case by case base whether or not they
+are legally binding. Because of these legal implications, Subscribers must protect their private keys.
+This included, that they are not supposed to provide this key to CAcert.</p>
+<p>Digital encryption is not meant to be recovered without the private key.
+If the private key is lost, all encrypted documents are lost and cannot be recovered.
+If the certificate expires or is revoked, some software will also refuse to
+decrypt documents. CAcert does not own this private key (c.f. previous paragraph) and
+thus cannot recover it. Therefore users are supposed to backup their key or prepare
+for the loss of encrypted documents.</p>
+<h4><a name="p2.1.4" id="p2.1.4">2.1.4 Relying party obligations</a></h4>
+
+
+
+
+<p>The following kinds of certificates are issues:</p>
+<ul>
+  <li>anonymous client certificates to <a href="#dreg">CAcert unassured user</a></li>
+  <li>client or code signing certificates to <a href="#dasd">CAcert assured user</a></li>
+  <li>server certificates to domains controlled by <a href="#ddom">CAcert domain masters</a></li>
+  <li>client certificates controlled by <a href="#dorg">CAcert organisation administrators</a></li>
+</ul>
+
+
+
+
+
+
+
+
+
+
+
+
+-->
+
+<h2>---This is the end of the Policy---</h2>
+
+<? showfooter(); ?>
diff --git a/cacert/www/disputes.php b/cacert/www/disputes.php
new file mode 100644
index 0000000..e87e5e6
--- /dev/null
+++ b/cacert/www/disputes.php
@@ -0,0 +1,436 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/ ?>
+<?
+	require_once("../includes/loggedin.php");
+
+	loadem("account");
+
+        $type=""; if(array_key_exists('type',$_REQUEST)) $type=$_REQUEST['type'];
+        $action=""; if(array_key_exists('action',$_REQUEST)) $action=sanitizeHTML($_REQUEST['action']);
+
+	if($type == "reallyemail")
+	{
+		$emailid = intval($_SESSION['_config']['emailid']);
+		$hash = mysql_escape_string(trim($_SESSION['_config']['hash']));
+
+		$res = mysql_query("select * from `disputeemail` where `id`='$emailid' and `hash`='$hash'");
+		if(mysql_num_rows($res) <= 0)
+		{
+			showheader(_("Email Dispute"));
+			echo _("This dispute no longer seems to be in the database, can't continue.");
+			showfooter();
+			exit;
+		}
+		$row = mysql_fetch_assoc($res);
+		$oldmemid = $row['oldmemid'];
+
+		if($action == "reject")
+		{
+			mysql_query("update `disputeemail` set hash='',action='reject' where `id`='".intval($emailid)."'");
+			showheader(_("Email Dispute"));
+			echo _("You have opted to reject this dispute and the request will be removed from the database");
+			showfooter();
+			exit;
+		}
+		if($action == "accept")
+		{
+			showheader(_("Email Dispute"));
+			echo "<p>"._("You have opted to accept this dispute and the request will now remove this email address from the existing account, and revoke any current certificates.")."</p>";
+			echo "<p>"._("The following accounts have been removed:")."<br>\n";
+			$query = "select * from `email` where `id`='".intval($emailid)."' and deleted=0";
+			$res = mysql_query($query);
+			if(mysql_num_rows($res) > 0)
+			{
+				$row = mysql_fetch_assoc($res);
+				echo $row['email']."<br>\n";
+				$query = "select `emailcerts`.`id`
+						from `emaillink`,`emailcerts` where
+						`emailid`='$emailid' and `emaillink`.`emailcertsid`=`emailcerts`.`id` and
+						`revoked`=0 and UNIX_TIMESTAMP(`expire`)-UNIX_TIMESTAMP() > 0
+						group by `emailcerts`.`id`";
+				$dres = mysql_query($query);
+				while($drow = mysql_fetch_assoc($dres))
+					mysql_query("update `emailcerts` set `revoked`='1970-01-01 10:00:01' where `id`='".intval($drow['id'])."'");
+
+				$do = `../scripts/runclient`;
+				$query = "update `email` set `deleted`=NOW() where `id`='".intval($emailid)."'";
+				mysql_query($query);
+			}
+			mysql_query("update `disputeemail` set hash='',action='accept' where `id`='$emailid'");
+	                $rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
+        	        $rc = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
+        	        $res = mysql_query("select * from `users` where `id`='$oldmemid'");
+	                $user = mysql_fetch_assoc($res);
+			if($rc == 0 && $rc2 == 0 && $_SESSION['_config']['email'] == $user['email'])
+			{
+				mysql_query("update `users` set `deleted`=NOW() where `id`='$oldmemid'");
+				echo _("This was the primary email on the account, and no emails or domains were left linked so the account has also been removed from the system.");
+			}
+
+			showfooter();
+			exit;
+		}
+	}
+
+	if($type == "email")
+	{
+		$emailid = intval($_REQUEST['emailid']);
+		$hash = trim(mysql_escape_string(stripslashes($_REQUEST['hash'])));
+		if($emailid <= 0 || $hash == "")
+		{
+			showheader(_("Email Dispute"));
+			echo _("Invalid request. Can't continue.");
+			showfooter();
+			exit;
+		}
+
+		$res = mysql_query("select * from `disputeemail` where `id`='$emailid' and `hash`='$hash'");
+		if(mysql_num_rows($res) <= 0)
+		{
+			$res = mysql_query("select * from `disputeemail` where `id`='$emailid' and hash!=''");
+			if(mysql_num_rows($res) > 0)
+			{
+				$row = mysql_fetch_assoc($res);
+				mysql_query("update `disputeemail` set `attempts`='".intval($row['attempts'] + 1)."' where `id`='".$row['id']."'");
+				showheader(_("Email Dispute"));
+				if($row['attempts'] >= 3)
+				{
+					echo _("Your attempt to accept or reject a disputed email is invalid due to the hash string not matching with the email ID. Your attempt has been logged and the request will be removed from the system as a result.");
+					mysql_query("update `disputeemail` set hash='',action='failed' where `id`='$emailid'");
+				} else
+					echo _("Your attempt to accept or reject a disputed email is invalid due to the hash string not matching with the email ID.");
+				showfooter();
+				exit;
+			} else {
+				showheader(_("Email Dispute"));
+				echo _("Invalid request. Can't continue.");
+				showfooter();
+				exit;
+			}
+		}
+		$_SESSION['_config']['emailid'] = $emailid;
+		$_SESSION['_config']['hash'] = $hash;
+		$row = mysql_fetch_assoc(mysql_query("select * from `disputeemail` where `id`='$emailid'"));
+		$_SESSION['_config']['email'] = $row['email'];
+		showheader(_("Email Dispute"));
+		includeit("4", "disputes");
+		showfooter();
+		exit;
+	}
+
+	if($type == "reallydomain")
+	{
+		$domainid = intval($_SESSION['_config']['domainid']);
+		$hash = mysql_escape_string(trim($_SESSION['_config']['hash']));
+
+		$res = mysql_query("select * from `disputedomain` where `id`='$domainid' and `hash`='$hash'");
+		if(mysql_num_rows($res) <= 0)
+		{
+			showheader(_("Domain Dispute"));
+			echo _("This dispute no longer seems to be in the database, can't continue.");
+			showfooter();
+			exit;
+		}
+
+		if($action == "reject")
+		{
+			mysql_query("update `disputedomain` set hash='',action='reject' where `id`='$domainid'");
+			showheader(_("Domain Dispute"));
+			echo _("You have opted to reject this dispute and the request will be removed from the database");
+			showfooter();
+			exit;
+		}
+		if($action == "accept")
+		{
+			showheader(_("Domain Dispute"));
+			echo "<p>"._("You have opted to accept this dispute and the request will now remove this domain from the existing account, and revoke any current certificates.")."</p>";
+			echo "<p>"._("The following accounts have been removed:")."<br>\n";
+			$query = "select * from `domains` where `id`='$domainid' and deleted=0";
+			$res = mysql_query($query);
+			if(mysql_num_rows($res) > 0)
+			{
+                                echo $_SESSION['_config']['domain']."<br>\n";
+                                mysql_query("update `domains` set `deleted`=NOW() where `id`='$domainid'");
+				$query = "select * from `domlink` where `domid`='$domainid'";
+				$res = mysql_query($query);
+				while($row = mysql_fetch_assoc($res))
+	                                mysql_query("update `domaincerts` set `revoked`='1970-01-01 10:00:01' where `id`='".$row['certid']."' and `revoked`=0 and UNIX_TIMESTAMP(`expire`)-UNIX_TIMESTAMP() > 0");
+				$do = `../scripts/runserver`;
+			}
+			mysql_query("update `disputedomain` set hash='',action='accept' where `id`='$domainid'");
+			showfooter();
+			exit;
+		}
+	}
+
+	if($type == "domain")
+	{
+		$domainid = intval($_REQUEST['domainid']);
+		$hash = trim(mysql_escape_string(stripslashes($_REQUEST['hash'])));
+		if($domainid <= 0 || $hash == "")
+		{
+			showheader(_("Domain Dispute"));
+			echo _("Invalid request. Can't continue.");
+			showfooter();
+			exit;
+		}
+
+		$res = mysql_query("select * from `disputedomain` where `id`='$domainid' and `hash`='$hash'");
+		if(mysql_num_rows($res) <= 0)
+		{
+			$res = mysql_query("select * from `disputedomain` where `id`='$domainid' and hash!=''");
+			if(mysql_num_rows($res) > 0)
+			{
+				$row = mysql_fetch_assoc($res);
+				mysql_query("update `disputedomain` set `attempts`='".intval($row['attempts'] + 1)."' where `id`='".$row['id']."'");
+				showheader(_("Domain Dispute"));
+				if($row['attempts'] >= 3)
+				{
+					echo _("Your attempt to accept or reject a disputed domain is invalid due to the hash string not matching with the domain ID. Your attempt has been logged and the request will be removed from the system as a result.");
+					mysql_query("update `disputedomain` set hash='',action='failed' where `id`='$domainid'");
+				} else
+					echo _("Your attempt to accept or reject a disputed domain is invalid due to the hash string not matching with the domain ID.");
+				showfooter();
+				exit;
+			} else {
+				showheader(_("Domain Dispute"));
+				echo _("Invalid request. Can't continue.");
+				showfooter();
+				exit;
+			}
+		}
+		$_SESSION['_config']['domainid'] = $domainid;
+		$_SESSION['_config']['hash'] = $hash;
+		$row = mysql_fetch_assoc(mysql_query("select * from `disputedomain` where `id`='$domainid'"));
+		$_SESSION['_config']['domain'] = $row['domain'];
+		showheader(_("Domain Dispute"));
+		includeit("6", "disputes");
+		showfooter();
+		exit;
+	}
+
+	if($oldid == "1")
+	{
+		$email = trim(mysql_escape_string(stripslashes($_REQUEST['dispute'])));
+		if($email == "")
+		{
+			showheader(_("Email Dispute"));
+			echo _("Not a valid email address. Can't continue.");
+			showfooter();
+			exit;
+		}
+
+		$res = mysql_query("select * from `disputeemail` where `email`='$email' and hash!=''");
+		if(mysql_num_rows($res) > 0)
+		{
+			showheader(_("Email Dispute"));
+			printf(_("The email address '%s' already exists in the dispute system. Can't continue."), sanitizeHTML($email));
+			showfooter();
+			exit;
+		}
+
+		unset($oldid);
+		$query = "select * from `email` where `email`='$email' and `deleted`=0";
+		$res = mysql_query($query);
+		if(mysql_num_rows($res) <= 0)
+		{
+			showheader(_("Email Dispute"));
+			printf(_("The email address '%s' doesn't exist in the system. Can't continue."), sanitizeHTML($email));
+			showfooter();
+			exit;
+		}
+		$row = mysql_fetch_assoc($res);
+		$oldmemid = $row['memid'];
+		$emailid = $row['id'];
+		if($_SESSION['profile']['id'] == $oldmemid)
+		{
+			showheader(_("Email Dispute"));
+			echo _("You aren't allowed to dispute your own email addresses. Can't continue.");
+			showfooter();
+			exit;
+		}	
+
+		$res = mysql_query("select * from `users` where `id`='$oldmemid'");
+		$user = mysql_fetch_assoc($res);
+		$rc = mysql_num_rows(mysql_query("select * from `domains` where `memid`='$oldmemid' and `deleted`=0"));
+		$rc2 = mysql_num_rows(mysql_query("select * from `email` where `memid`='$oldmemid' and `deleted`=0 and `id`!='$emailid'"));
+		if($user['email'] == $email && ($rc > 0 || $rc2 > 0))
+		{
+			showheader(_("Email Dispute"));
+			echo _("You only dispute the primary email address of an account if there is no longer any email addresses or domains linked to it.");
+			showfooter();
+			exit;
+		}
+
+		$hash = make_hash();
+		$query = "insert into `disputeemail` set `email`='$email',`memid`='".intval($_SESSION['profile']['id'])."',
+				`oldmemid`='$oldmemid',`created`=NOW(),`hash`='$hash',`id`='".intval($emailid)."',
+				`IP`='".$_SERVER['REMOTE_ADDR']."'";
+		mysql_query($query);
+
+		$body = sprintf(_("You have been sent this email as the email address '%s' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:"), $email)."\n\n";
+		$body .= "https://".$_SESSION['_config']['normalhostname']."/disputes.php?type=email&emailid=$emailid&hash=$hash\n\n";
+		$body .= _("Best regards")."\n"._("CAcert.org Support!");
+
+		sendmail($email, "[CAcert.org] "._("Dispute Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
+
+		showheader(_("Email Dispute"));
+		printf(_("The email address '%s' has been entered into the dispute system, the email address will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."), sanitizeHTML($email));
+		showfooter();
+		exit;
+	}
+
+	if($oldid == "2")
+	{
+		$domain = trim(mysql_escape_string(stripslashes($_REQUEST['dispute'])));
+		if($domain == "")
+		{
+			showheader(_("Domain Dispute"));
+			echo _("Not a valid Domain. Can't continue.");
+			showfooter();
+			exit;
+		}
+
+		$query = "select * from `disputedomain` where `domain`='$domain' and hash!=''";
+		$res = mysql_query($query);
+		if(mysql_num_rows($res) > 0)
+		{
+			showheader(_("Domain Dispute"));
+			printf(_("The domain '%s' already exists in the dispute system. Can't continue."), sanitizeHTML($domain));
+			showfooter();
+			exit;
+		}
+		unset($oldid);
+		$query = "select * from `domains` where `domain`='$domain' and `deleted`=0";
+		$email = ""; if(array_key_exists('email',$_REQUEST)) $email=trim(mysql_real_escape_string($_REQUEST['email']));
+		$res = mysql_query($query);
+		if(mysql_num_rows($res) <= 0)
+		{
+			showheader(_("Domain Dispute"));
+			printf(_("The domain '%s' doesn't exist in the system. Can't continue."), sanitizeHTML($email));
+			showfooter();
+			exit;
+		}
+		$row = mysql_fetch_assoc($res);
+		$oldmemid = $row['memid'];
+		if($_SESSION['profile']['id'] == $oldmemid)
+		{
+			showheader(_("Domain Dispute"));
+			echo _("You aren't allowed to dispute your own domains. Can't continue.");
+			showfooter();
+			exit;
+		}	
+
+		$domainid = $row['id'];
+		$_SESSION['_config']['domainid'] = $domainid;
+		$_SESSION['_config']['memid'] = array_key_exists('memid',$_REQUEST)?intval($_REQUEST['memid']):0;
+		$_SESSION['_config']['domain'] = $domain;
+		$_SESSION['_config']['oldmemid'] = $oldmemid;
+
+                $addy = array();
+		$domtmp = escapeshellarg($domain);
+		if(strtolower(substr($domtmp, -4, 3)) != ".jp")
+	                $adds = explode("\n", trim(`whois $domtmp|grep \@`));
+                if(substr($domain, -4) == ".org" || substr($domain, -5) == ".info")
+                {
+                        if(is_array($adds))
+                        foreach($adds as $line)
+                        {
+                                $bits = explode(":", $line, 2);
+                                $line = trim($bits[1]);
+                                if(!in_array($line, $addy) && $line != "")
+                                        $addy[] = trim(mysql_escape_string(stripslashes($line)));
+                        }
+                } else {
+                        if(is_array($adds))
+                        foreach($adds as $line)
+                        {
+                                $line = trim(str_replace("\t", " ", $line));
+                                $line = trim(str_replace("(", "", $line));
+                                $line = trim(str_replace(")", " ", $line));
+
+                                $bits = explode(" ", $line);
+                                foreach($bits as $bit)
+                                {
+                                        if(strstr($bit, "@"))
+                                                $line = $bit;
+                                }
+                                if(!in_array($line, $addy) && $line != "")
+                                        $addy[] = trim(mysql_escape_string(stripslashes($line)));
+                        }
+                }
+
+                $rfc = array("root@$domain", "hostmaster@$domain", "postmaster@$domain", "admin@$domain", "webmaster@$domain");
+                foreach($rfc as $sub)
+                        if(!in_array($sub, $addy))
+                                $addy[] = $sub;
+                $_SESSION['_config']['addy'] = $addy;
+		showheader(_("Domain Dispute"));
+		includeit("5", "disputes");
+		showfooter();
+		exit;
+	}
+
+	if($oldid == "5")
+	{
+                $authaddy = trim(mysql_escape_string(stripslashes($_REQUEST['authaddy'])));
+
+                if(!in_array($authaddy, $_SESSION['_config']['addy']) || $authaddy == "")
+                {
+                        showheader(_("My CAcert.org Account!"));
+                        echo _("The address you submitted isn't a valid authority address for the domain.");
+                        showfooter();
+                        exit;
+                }
+
+                $query = "select * from `domains` where `domain`='".$_SESSION['_config']['domain']."' and `deleted`=0";
+                $res = mysql_query($query);
+                if(mysql_num_rows($res) <= 0)
+                {
+                        showheader(_("Domain Dispute!"));
+                        printf(_("The domain '%s' isn't in the system. Can't continue."), sanitizeHTML($_SESSION['_config']['domain']));
+                        showfooter();
+                        exit;
+                }
+
+		$domainid = intval($_SESSION['_config']['domainid']);
+		$memid = intval($_SESSION['_config']['memid']);
+		$oldmemid = intval($_SESSION['_config']['oldmemid']);
+		$domain = mysql_escape_string($_SESSION['_config']['domain']);
+
+		$hash = make_hash();
+		$query = "insert into `disputedomain` set `domain`='$domain',`memid`='".$_SESSION['profile']['id']."',
+				`oldmemid`='$oldmemid',`created`=NOW(),`hash`='$hash',`id`='$domainid'";
+		mysql_query($query);
+
+		$body = sprintf(_("You have been sent this email as the domain '%s' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:"), $domain)."\n\n";
+		$body .= "https://".$_SESSION['_config']['normalhostname']."/disputes.php?type=domain&domainid=$domainid&hash=$hash\n\n";
+		$body .= _("Best regards")."\n"._("CAcert.org Support!");
+
+		sendmail($authaddy, "[CAcert.org] "._("Dispute Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
+
+		showheader(_("Domain Dispute"));
+		printf(_("The domain '%s' has been entered into the dispute system, the email address you choose will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."), sanitizeHTML($domain));
+		showfooter();
+		exit;
+	}
+
+	showheader(_("Domain and Email Disputes"));
+	includeit($id, "disputes");
+	showfooter();
+?>
diff --git a/cacert/www/docs/CAcert_Rules.pdf b/cacert/www/docs/CAcert_Rules.pdf
new file mode 100644
index 0000000..96aaabb
--- /dev/null
+++ b/cacert/www/docs/CAcert_Rules.pdf
diff --git a/cacert/www/docs/CAcert_Rules.sxw b/cacert/www/docs/CAcert_Rules.sxw
new file mode 100644
index 0000000..8dc9acd
--- /dev/null
+++ b/cacert/www/docs/CAcert_Rules.sxw
diff --git a/cacert/www/docs/CVS/Entries b/cacert/www/docs/CVS/Entries
new file mode 100644
index 0000000..816955e
--- /dev/null
+++ b/cacert/www/docs/CVS/Entries
@@ -0,0 +1,12 @@
+/CAcert_Rules.sxw/1.1/Fri May 13 15:41:53 2005//
+/banner.jpg/1.1/Fri May 13 15:41:53 2005//
+/cacert0304.pdf/1.1/Fri May 13 15:41:53 2005//
+/cacert_display.pdf/1.1/Fri May 13 15:41:53 2005//
+/cacert_display.sxw/1.1/Fri May 13 15:41:53 2005//
+/encryption in the real world.sxi/1.1/Fri May 13 15:41:53 2005//
+/flyer.sxw/1.1/Fri May 13 15:41:53 2005//
+/incorporation.jpg/1.1/Fri May 13 15:41:53 2005//
+/keys.pdf/1.1/Thu Nov 18 23:21:15 2004//
+/keys.ps/1.1/Thu Nov 18 23:21:15 2004//
+/CAcert_Rules.pdf/1.2/Sun May 25 20:51:17 2008//
+D
diff --git a/cacert/www/docs/CVS/Repository b/cacert/www/docs/CVS/Repository
new file mode 100644
index 0000000..21a2b69
--- /dev/null
+++ b/cacert/www/docs/CVS/Repository
@@ -0,0 +1 @@
+cacert/www/docs
diff --git a/cacert/www/docs/CVS/Root b/cacert/www/docs/CVS/Root
new file mode 100644
index 0000000..a363882
--- /dev/null
+++ b/cacert/www/docs/CVS/Root
@@ -0,0 +1 @@
+/var/lib/cvs
diff --git a/cacert/www/docs/banner.jpg b/cacert/www/docs/banner.jpg
new file mode 100644
index 0000000..ddd61a9
--- /dev/null
+++ b/cacert/www/docs/banner.jpg
diff --git a/cacert/www/docs/cacert0304.pdf b/cacert/www/docs/cacert0304.pdf
new file mode 100644
index 0000000..2ec818e
--- /dev/null
+++ b/cacert/www/docs/cacert0304.pdf
diff --git a/cacert/www/docs/cacert_display.pdf b/cacert/www/docs/cacert_display.pdf
new file mode 100644
index 0000000..e3d6214
--- /dev/null
+++ b/cacert/www/docs/cacert_display.pdf
@@ -0,0 +1,1641 @@
+%PDF-1.4

+%äöÜß

+1 0 obj

+<< /Length 2 0 R

+>>

+stream

+0 w

+q 0 -0.1 612.1 792.1 re W* n

+q 0 0 0 rg

+BT

+87.8 594.6 Td /F1 20 Tf <010203> Tj

+56.4 0 Td <04> Tj

+6.8 0 Td <05> Tj

+13.7 0 Td <02> Tj

+17 0 Td <04> Tj

+6.9 0 Td <06> Tj

+16.2 0 Td <07> Tj

+13.6 0 Td <05> Tj

+13.7 0 Td <04> Tj

+6.9 0 Td <08> Tj

+15.5 0 Td <09> Tj

+14.3 0 Td <09> Tj

+14.2 0 Td <0A> Tj

+16.3 0 Td <0B> Tj

+15.7 0 Td <07> Tj

+13.7 0 Td <0C> Tj

+16.8 0 Td <04> Tj

+6.9 0 Td <08> Tj

+15.5 0 Td <05> Tj

+13.8 0 Td <04> Tj

+6.8 0 Td <05> Tj

+13.6 0 Td <010D> Tj

+27.7 0 Td <09> Tj

+14.4 0 Td <04> Tj

+6.8 0 Td <07> Tj

+13.7 0 Td <0E> Tj

+15.3 0 Td <07> Tj

+13.7 0 Td <0F> Tj

+16.9 0 Td <05> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+66.6 548.4 Td /F2 17.5 Tf <01> Tj

+10.5 0 Td <02> Tj

+4.8 0 Td <03> Tj

+10.4 0 Td <04> Tj

+10.5 0 Td <05> Tj

+9.1 0 Td <03> Tj

+10.5 0 Td <06> Tj

+6.1 0 Td <07> Tj

+9.2 0 Td <08> Tj

+10.6 0 Td <09> Tj

+17 0 Td <0A> Tj

+10.9 0 Td <0203> Tj

+15.2 0 Td <0B> Tj

+6.9 0 Td <03> Tj

+10.5 0 Td <06> Tj

+6.1 0 Td <04> Tj

+10.6 0 Td <06> Tj

+6.1 0 Td <0C> Tj

+12.2 0 Td <0D> Tj

+12 0 Td <07> Tj

+9.1 0 Td <03> Tj

+10.4 0 Td <0E> Tj

+7.5 0 Td <0B> Tj

+7 0 Td <06> Tj

+6.1 0 Td <0D> Tj

+12 0 Td <05> Tj

+9.1 0 Td <05> Tj

+9.1 0 Td <0F> Tj

+11.1 0 Td <0E> Tj

+7.5 0 Td <04> Tj

+10.5 0 Td <10> Tj

+11 0 Td <07> Tj

+9.2 0 Td <03> Tj

+10.4 0 Td <06> Tj

+6.1 0 Td <010E> Tj

+18 0 Td <08> Tj

+10.7 0 Td <11> Tj

+10.9 0 Td <0E> Tj

+7.4 0 Td <04> Tj

+10.6 0 Td <09> Tj

+17 0 Td <09> Tj

+17 0 Td <03> Tj

+10.6 0 Td <06> Tj

+6.1 0 Td <12> Tj

+10 0 Td <08> Tj

+10.6 0 Td <0E> Tj

+7.5 0 Td <09> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+209.9 527.1 Td /F2 17.5 Tf <04> Tj

+10.5 0 Td <13> Tj

+10.4 0 Td <04> Tj

+10.4 0 Td <14> Tj

+4.8 0 Td <02> Tj

+4.7 0 Td <04> Tj

+10.6 0 Td <15> Tj

+10.8 0 Td <0203> Tj

+15.2 0 Td <06> Tj

+6.1 0 Td <04> Tj

+10.5 0 Td <0B> Tj

+7.1 0 Td <06> Tj

+6.1 0 Td <0B> Tj

+6.9 0 Td <16> Tj

+11 0 Td <14> Tj

+4.7 0 Td <05> Tj

+9.2 0 Td <0617> Tj

+17 0 Td <03> Tj

+10.4 0 Td <05> Tj

+9.2 0 Td <18> Tj

+10.3 0 Td <19> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+82.7 484.4 Td /F2 17.5 Tf <1A> Tj

+10.8 0 Td <08> Tj

+10.6 0 Td <0F> Tj

+11.1 0 Td <0609> Tj

+23.1 0 Td <0F> Tj

+11.1 0 Td <05> Tj

+9.1 0 Td <0B> Tj

+7 0 Td <06> Tj

+6.1 0 Td <0A> Tj

+10.9 0 Td <0E> Tj

+7.5 0 Td <03> Tj

+10.4 0 Td <05> Tj

+9.1 0 Td <03> Tj

+10.5 0 Td <10> Tj

+11 0 Td <0B> Tj

+7 0 Td <06> Tj

+6.1 0 Td <0B> Tj

+6.9 0 Td <1B> Tj

+14.3 0 Td <08> Tj

+10.7 0 Td <061C08> Tj

+22.9 0 Td <0E> Tj

+7.5 0 Td <09> Tj

+17 0 Td <05> Tj

+9.2 0 Td <06> Tj

+6.1 0 Td <08> Tj

+10.6 0 Td <1C> Tj

+6.2 0 Td <0611> Tj

+17 0 Td <08> Tj

+10.7 0 Td <13> Tj

+10.3 0 Td <03> Tj

+10.4 0 Td <0E> Tj

+7.5 0 Td <10> Tj

+11 0 Td <09> Tj

+17.1 0 Td <03> Tj

+10.4 0 Td <10> Tj

+11.1 0 Td <0B> Tj

+6.9 0 Td <06> Tj

+6.1 0 Td <14> Tj

+4.8 0 Td <05> Tj

+9.1 0 Td <05> Tj

+9.1 0 Td <0F> Tj

+11 0 Td <03> Tj

+10.4 0 Td <17> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+181.5 463 Td /F2 17.5 Tf <14> Tj

+4.8 0 Td <17> Tj

+10.8 0 Td <03> Tj

+10.4 0 Td <10> Tj

+11.1 0 Td <0B> Tj

+6.8 0 Td <14> Tj

+4.8 0 Td <1C> Tj

+6.1 0 Td <14> Tj

+4.7 0 Td <07> Tj

+9.1 0 Td <04> Tj

+10.5 0 Td <0B> Tj

+6.9 0 Td <1408> Tj

+15.5 0 Td <10> Tj

+11 0 Td <060B> Tj

+13.1 0 Td <08> Tj

+10.7 0 Td <060F> Tj

+17.2 0 Td <05> Tj

+9.1 0 Td <1D> Tj

+6.3 0 Td <0605> Tj

+15.2 0 Td <0F> Tj

+11.1 0 Td <07> Tj

+9.1 0 Td <16> Tj

+11.1 0 Td <06> Tj

+6.1 0 Td <04> Tj

+10.5 0 Td <05> Tj

+9.1 0 Td <1E> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+267.5 420.3 Td /F3 17.5 Tf <01> Tj

+10.6 0 Td <02> Tj

+10.4 0 Td <03> Tj

+9.1 0 Td <03> Tj

+9.2 0 Td <04> Tj

+10.9 0 Td <05> Tj

+10.6 0 Td <06> Tj

+7.5 0 Td <07> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+235.9 399 Td /F3 17.5 Tf <08> Tj

+13.4 0 Td <06> Tj

+7.5 0 Td <090A> Tj

+15.1 0 Td <0B> Tj

+10.5 0 Td <06> Tj

+7.4 0 Td <0C03> Tj

+13.8 0 Td <0D> Tj

+6.1 0 Td <0E> Tj

+9.7 0 Td <090F> Tj

+13.9 0 Td <0B> Tj

+10.5 0 Td <10> Tj

+11 0 Td <03> Tj

+9.1 0 Td <0B> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+184.4 377.6 Td /F3 17.5 Tf <11> Tj

+13.1 0 Td <02> Tj

+10.5 0 Td <07> Tj

+6.9 0 Td <09> Tj

+4.9 0 Td <05> Tj

+10.6 0 Td <10> Tj

+11.1 0 Td <02> Tj

+10.5 0 Td <12> Tj

+4.9 0 Td <0D> Tj

+6.1 0 Td <13> Tj

+7.4 0 Td <140B> Tj

+21.3 0 Td <10> Tj

+11 0 Td <07> Tj

+6.9 0 Td <0915090F> Tj

+24.9 0 Td <02> Tj

+10.5 0 Td <07> Tj

+6.9 0 Td <0905> Tj

+15.5 0 Td <10> Tj

+11.2 0 Td <0D16> Tj

+18.3 0 Td <02> Tj

+10.5 0 Td <06> Tj

+7.5 0 Td <14> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+218.9 356.3 Td /F3 17.5 Tf <17> Tj

+12.2 0 Td <0B> Tj

+10.4 0 Td <03> Tj

+9.1 0 Td <0914> Tj

+15.7 0 Td <0B> Tj

+10.5 0 Td <10> Tj

+11 0 Td <07> Tj

+7.1 0 Td <0D1812090B> Tj

+38.1 0 Td <10> Tj

+11.1 0 Td <0D16> Tj

+18.3 0 Td <02> Tj

+10.5 0 Td <06> Tj

+7.5 0 Td <14> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+86 334.9 Td /F3 17.5 Tf <19> Tj

+13.8 0 Td <07> Tj

+6.9 0 Td <1A> Tj

+11.1 0 Td <0B> Tj

+10.4 0 Td <06> Tj

+7.5 0 Td <0D> Tj

+6.1 0 Td <1B> Tj

+13.6 0 Td <05> Tj

+10.6 0 Td <0A> Tj

+10.3 0 Td <0B> Tj

+10.5 0 Td <06> Tj

+7.4 0 Td <10> Tj

+11.1 0 Td <1C> Tj

+17 0 Td <0B> Tj

+10.4 0 Td <10> Tj

+11.1 0 Td <07> Tj

+7 0 Td <0D011A> Tj

+27.7 0 Td <05> Tj

+10.6 0 Td <07> Tj

+6.9 0 Td <05> Tj

+10.8 0 Td <0D> Tj

+6.1 0 Td <0E> Tj

+9.8 0 Td <090F> Tj

+13.9 0 Td <0B> Tj

+10.4 0 Td <10> Tj

+11.1 0 Td <03> Tj

+9.1 0 Td <0B> Tj

+10.4 0 Td <03> Tj

+9.1 0 Td <0D1D> Tj

+14.1 0 Td <1E> Tj

+10.1 0 Td <16> Tj

+12.2 0 Td <16> Tj

+12.2 0 Td <1F> Tj

+7.9 0 Td <1E> Tj

+10.1 0 Td <1818> Tj

+23.9 0 Td <20> Tj

+6.5 0 Td <0D> Tj

+6.1 0 Td <0B> Tj

+10.4 0 Td <07> Tj

+6.9 0 Td <0F> Tj

+9.1 0 Td <21> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+77.8 292.2 Td /F2 17.5 Tf <1A> Tj

+10.8 0 Td <08> Tj

+10.6 0 Td <0F> Tj

+11.1 0 Td <0609> Tj

+23.1 0 Td <0F> Tj

+11.1 0 Td <05> Tj

+9.1 0 Td <0B> Tj

+7 0 Td <06> Tj

+6.1 0 Td <0A> Tj

+10.9 0 Td <0E> Tj

+7.4 0 Td <03> Tj

+10.5 0 Td <05> Tj

+9.1 0 Td <03> Tj

+10.4 0 Td <10> Tj

+11.1 0 Td <0B> Tj

+7 0 Td <06> Tj

+6.1 0 Td <04> Tj

+10.5 0 Td <0B> Tj

+7 0 Td <0602> Tj

+10.9 0 Td <03> Tj

+10.3 0 Td <04> Tj

+10.6 0 Td <05> Tj

+9.1 0 Td <0B> Tj

+7 0 Td <06> Tj

+6.1 0 Td <08> Tj

+10.6 0 Td <10> Tj

+11 0 Td <03> Tj

+10.6 0 Td <06> Tj

+6.1 0 Td <1C08> Tj

+16.7 0 Td <0E> Tj

+7.5 0 Td <09> Tj

+17.1 0 Td <06> Tj

+6.1 0 Td <08> Tj

+10.6 0 Td <1C06> Tj

+12.3 0 Td <0A> Tj

+10.9 0 Td <16> Tj

+11 0 Td <08> Tj

+10.6 0 Td <0B> Tj

+7 0 Td <08> Tj

+10.6 0 Td <110E> Tj

+18.4 0 Td <04> Tj

+10.6 0 Td <0A16> Tj

+21.9 0 Td <1407> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+246.6 270.9 Td /F2 17.5 Tf <14> Tj

+4.8 0 Td <17> Tj

+10.8 0 Td <03> Tj

+10.4 0 Td <10> Tj

+11.1 0 Td <0B> Tj

+6.8 0 Td <14> Tj

+4.8 0 Td <1C> Tj

+6.1 0 Td <14> Tj

+4.7 0 Td <07> Tj

+9.1 0 Td <04> Tj

+10.5 0 Td <0B> Tj

+6.9 0 Td <1408> Tj

+15.5 0 Td <10> Tj

+11 0 Td <19> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+43.1 228.2 Td /F2 17.5 Tf <1A> Tj

+10.8 0 Td <08> Tj

+10.6 0 Td <0F> Tj

+11 0 Td <0E> Tj

+7.5 0 Td <0614> Tj

+10.9 0 Td <17> Tj

+10.9 0 Td <03> Tj

+10.4 0 Td <10> Tj

+11 0 Td <0B> Tj

+6.9 0 Td <14> Tj

+4.7 0 Td <1C> Tj

+6.1 0 Td <14> Tj

+4.8 0 Td <07> Tj

+9.1 0 Td <04> Tj

+10.5 0 Td <0B> Tj

+6.9 0 Td <1408> Tj

+15.4 0 Td <10> Tj

+11.1 0 Td <06> Tj

+6.1 0 Td <14> Tj

+4.8 0 Td <05> Tj

+9 0 Td <0608> Tj

+16.8 0 Td <10> Tj

+11 0 Td <02> Tj

+4.7 0 Td <1F> Tj

+10.4 0 Td <06> Tj

+6.1 0 Td <05> Tj

+9 0 Td <1411> Tj

+15.7 0 Td <16> Tj

+11.1 0 Td <0B> Tj

+6.9 0 Td <03> Tj

+10.4 0 Td <17> Tj

+11 0 Td <06> Tj

+6.1 0 Td <04> Tj

+10.5 0 Td <10> Tj

+11 0 Td <17> Tj

+11 0 Td <06> Tj

+6.1 0 Td <0B> Tj

+6.9 0 Td <16> Tj

+11.1 0 Td <03> Tj

+10.4 0 Td <10> Tj

+11.1 0 Td <06> Tj

+6.1 0 Td <0E> Tj

+7.5 0 Td <03> Tj

+10.4 0 Td <0B> Tj

+6.9 0 Td <0F> Tj

+11.1 0 Td <0E> Tj

+7.4 0 Td <10> Tj

+11.1 0 Td <03> Tj

+10.4 0 Td <17> Tj

+11 0 Td <06> Tj

+6.1 0 Td <0B> Tj

+6.9 0 Td <08> Tj

+10.7 0 Td <06> Tj

+6.1 0 Td <1F> Tj

+10.4 0 Td <08> Tj

+10.6 0 Td <0F> Tj

+11 0 Td <19> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+79.6 206.8 Td /F2 17.5 Tf <20> Tj

+17.3 0 Td <03> Tj

+10.4 0 Td <0617> Tj

+17 0 Td <08> Tj

+10.7 0 Td <06> Tj

+6.1 0 Td <10> Tj

+11.1 0 Td <08> Tj

+10.6 0 Td <0B> Tj

+7 0 Td <06> Tj

+6.1 0 Td <0E> Tj

+7.5 0 Td <03> Tj

+10.4 0 Td <07> Tj

+9.1 0 Td <08> Tj

+10.6 0 Td <0E> Tj

+7.5 0 Td <17> Tj

+11 0 Td <06> Tj

+6.1 0 Td <04> Tj

+10.5 0 Td <10> Tj

+11 0 Td <1F> Tj

+10.4 0 Td <06> Tj

+6.1 0 Td <10> Tj

+11.1 0 Td <0F> Tj

+11 0 Td <09> Tj

+17.1 0 Td <15> Tj

+10.9 0 Td <03> Tj

+10.4 0 Td <0E> Tj

+7.5 0 Td <05> Tj

+9.1 0 Td <06> Tj

+6.1 0 Td <08> Tj

+10.6 0 Td <0E> Tj

+7.5 0 Td <06> Tj

+6.1 0 Td <14> Tj

+4.8 0 Td <1703> Tj

+21.2 0 Td <10> Tj

+11.1 0 Td <0B> Tj

+6.9 0 Td <14> Tj

+4.7 0 Td <1C> Tj

+6.1 0 Td <14> Tj

+4.8 0 Td <03> Tj

+10.4 0 Td <0E> Tj

+7.4 0 Td <05> Tj

+9.2 0 Td <06> Tj

+6.1 0 Td <08> Tj

+10.6 0 Td <10> Tj

+11.1 0 Td <060B> Tj

+13 0 Td <16> Tj

+11.1 0 Td <03> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+131.4 185.5 Td /F2 17.5 Tf <17> Tj

+10.9 0 Td <08> Tj

+10.6 0 Td <07> Tj

+9.1 0 Td <0F> Tj

+11.1 0 Td <09> Tj

+17 0 Td <03> Tj

+10.4 0 Td <10> Tj

+11.1 0 Td <0B> Tj

+7 0 Td <06> Tj

+6.1 0 Td <21> Tj

+11.2 0 Td <0608> Tj

+16.7 0 Td <10> Tj

+11.1 0 Td <02> Tj

+4.7 0 Td <1F> Tj

+10.3 0 Td <060B> Tj

+13.1 0 Td <16> Tj

+11 0 Td <03> Tj

+10.5 0 Td <060B> Tj

+13 0 Td <1F> Tj

+10.4 0 Td <0A> Tj

+10.9 0 Td <03> Tj

+10.5 0 Td <06> Tj

+6.1 0 Td <08> Tj

+10.6 0 Td <1C> Tj

+6.2 0 Td <06> Tj

+6.1 0 Td <17> Tj

+10.9 0 Td <08> Tj

+10.6 0 Td <07> Tj

+9.1 0 Td <0F> Tj

+11.1 0 Td <09> Tj

+17 0 Td <03> Tj

+10.4 0 Td <10> Tj

+11.1 0 Td <0B> Tj

+6.9 0 Td <19> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+40.4 142.8 Td /F2 17.5 Tf <20> Tj

+17.3 0 Td <03> Tj

+10.4 0 Td <060E> Tj

+13.6 0 Td <03> Tj

+10.4 0 Td <07> Tj

+9.1 0 Td <08> Tj

+10.6 0 Td <09> Tj

+17 0 Td <09> Tj

+17.1 0 Td <03> Tj

+10.4 0 Td <10> Tj

+11.1 0 Td <17> Tj

+11 0 Td <06> Tj

+6.1 0 Td <0B> Tj

+6.9 0 Td <16> Tj

+11 0 Td <04> Tj

+10.6 0 Td <0B> Tj

+7 0 Td <06> Tj

+6.1 0 Td <1F> Tj

+10.4 0 Td <08> Tj

+10.6 0 Td <0F> Tj

+11.1 0 Td <06> Tj

+6.1 0 Td <05> Tj

+9 0 Td <1411> Tj

+15.7 0 Td <10> Tj

+11.1 0 Td <06> Tj

+6.1 0 Td <0F> Tj

+11 0 Td <0A> Tj

+10.9 0 Td <0604> Tj

+16.7 0 Td <0B> Tj

+7 0 Td <06> Tj

+ET

+Q

+q 0 0 0.50196 rg

+BT

+357.9 142.8 Td /F2 17.5 Tf <1B> Tj

+14.3 0 Td <1B> Tj

+14.2 0 Td <1B> Tj

+14.3 0 Td <19> Tj

+6.4 0 Td <0C> Tj

+12.2 0 Td <0D> Tj

+12 0 Td <07> Tj

+9.1 0 Td <03> Tj

+10.4 0 Td <0E> Tj

+7.5 0 Td <0B> Tj

+6.9 0 Td <19> Tj

+6.3 0 Td <08> Tj

+10.7 0 Td <0E> Tj

+7.4 0 Td <11> Tj

+ET

+Q

+q 1 0 0 1 357.9 142.8 cm

+0.9 w 0 0 0.50196 RG

+0 -1.4 m 142.8 -1.4 l S

+Q

+q 0 0 0 rg

+BT

+500.7 142.8 Td /F2 17.5 Tf <06> Tj

+6.1 0 Td <0A0E> Tj

+18.3 0 Td <1408> Tj

+15.4 0 Td <0E> Tj

+7.5 0 Td <06> Tj

+6.1 0 Td <0B> Tj

+6.9 0 Td <08> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+57.9 121.4 Td /F2 17.5 Tf <15> Tj

+10.9 0 Td <03> Tj

+10.4 0 Td <14> Tj

+4.7 0 Td <10> Tj

+11.1 0 Td <11> Tj

+10.9 0 Td <06> Tj

+6.1 0 Td <04> Tj

+10.5 0 Td <05> Tj

+9.1 0 Td <05> Tj

+9.1 0 Td <0F> Tj

+11.1 0 Td <0E> Tj

+7.5 0 Td <03> Tj

+10.4 0 Td <17> Tj

+10.9 0 Td <1D> Tj

+6.4 0 Td <0604> Tj

+16.6 0 Td <020B> Tj

+11.7 0 Td <03> Tj

+10.4 0 Td <0E> Tj

+7.4 0 Td <10> Tj

+11.1 0 Td <04> Tj

+10.5 0 Td <0B> Tj

+6.9 0 Td <1413> Tj

+15.2 0 Td <03> Tj

+10.3 0 Td <02> Tj

+4.8 0 Td <1F> Tj

+10.3 0 Td <1D> Tj

+6.4 0 Td <06> Tj

+6.1 0 Td <1F> Tj

+10.3 0 Td <08> Tj

+10.7 0 Td <0F> Tj

+11 0 Td <06> Tj

+6.1 0 Td <09> Tj

+17 0 Td <04> Tj

+10.5 0 Td <1F> Tj

+10.5 0 Td <06> Tj

+6.1 0 Td <07> Tj

+9.1 0 Td <0E> Tj

+7.4 0 Td <03> Tj

+10.5 0 Td <04> Tj

+10.5 0 Td <0B> Tj

+6.9 0 Td <03> Tj

+10.5 0 Td <0604> Tj

+16.7 0 Td <10> Tj

+11.1 0 Td <06> Tj

+6.1 0 Td <04> Tj

+10.5 0 Td <07> Tj

+9.1 0 Td <07> Tj

+9.1 0 Td <08> Tj

+10.6 0 Td <0F> Tj

+11.1 0 Td <10> Tj

+11.1 0 Td <0B> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+37.6 100.1 Td /F2 17.5 Tf <04> Tj

+10.5 0 Td <1C0B> Tj

+13 0 Td <03> Tj

+10.5 0 Td <0E> Tj

+7.5 0 Td <0615> Tj

+17 0 Td <03> Tj

+10.4 0 Td <14> Tj

+4.8 0 Td <10> Tj

+11 0 Td <1106> Tj

+17 0 Td <04> Tj

+10.5 0 Td <05> Tj

+9.1 0 Td <05> Tj

+9.2 0 Td <0F> Tj

+11 0 Td <0E> Tj

+7.5 0 Td <03> Tj

+10.4 0 Td <17> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+208 100.1 Td /F2 17.5 Tf <19> Tj

+6.4 0 Td <0606> Tj

+12.2 0 Td <1A> Tj

+10.8 0 Td <08> Tj

+10.6 0 Td <0F> Tj

+11.1 0 Td <0607> Tj

+15.3 0 Td <04> Tj

+10.5 0 Td <10> Tj

+11 0 Td <0617> Tj

+17.1 0 Td <08> Tj

+10.7 0 Td <06> Tj

+6.1 0 Td <0B> Tj

+6.9 0 Td <16> Tj

+11 0 Td <1405> Tj

+13.9 0 Td <06> Tj

+6.1 0 Td <04> Tj

+10.5 0 Td <0B> Tj

+7 0 Td <06> Tj

+6.1 0 Td <0B> Tj

+6.9 0 Td <16> Tj

+11.1 0 Td <03> Tj

+10.5 0 Td <06> Tj

+6.1 0 Td <0B> Tj

+6.9 0 Td <03> Tj

+10.4 0 Td <0E> Tj

+7.5 0 Td <09> Tj

+17 0 Td <14> Tj

+4.7 0 Td <10> Tj

+11.1 0 Td <04> Tj

+10.5 0 Td <02> Tj

+4.7 0 Td <060E> Tj

+13.6 0 Td <08> Tj

+10.6 0 Td <08> Tj

+10.7 0 Td <09> Tj

+17.1 0 Td <060B> Tj

+13 0 Td <08> Tj

+ET

+Q

+q 0 0 0 rg

+BT

+153.8 78.7 Td /F2 17.5 Tf <1F> Tj

+10.4 0 Td <08> Tj

+10.6 0 Td <0F> Tj

+11.1 0 Td <0E> Tj

+7.4 0 Td <06> Tj

+6.1 0 Td <0E> Tj

+7.5 0 Td <14> Tj

+4.7 0 Td <11> Tj

+10.9 0 Td <16> Tj

+11 0 Td <0B> Tj

+6.9 0 Td <1D> Tj

+6.4 0 Td <06> Tj

+6.1 0 Td <08> Tj

+10.7 0 Td <0E> Tj

+7.5 0 Td <06> Tj

+6.1 0 Td <1B> Tj

+14.3 0 Td <16> Tj

+11 0 Td <03> Tj

+10.4 0 Td <10> Tj

+11.1 0 Td <061F> Tj

+16.5 0 Td <08> Tj

+10.5 0 Td <0F> Tj

+11.1 0 Td <0611> Tj

+17.1 0 Td <03> Tj

+10.4 0 Td <0B> Tj

+7 0 Td <0616> Tj

+17.2 0 Td <08> Tj

+10.6 0 Td <09> Tj

+17 0 Td <03> Tj

+10.5 0 Td <19> Tj

+ET

+Q

+Q q 67.5 628 477.1 122 re W* n

+q 477.1 0 0 121.9 67.5 628.2 cm

+  /Im3 Do Q

+Q endstream

+endobj

+

+2 0 obj

+  13007

+endobj

+

+3 0 obj

+<< /Type /XObject

+   /Subtype /Image

+   /Width 1988

+   /Height 508

+   /BitsPerComponent 8

+   /ColorSpace /DeviceRGB

+   /Filter /DCTDecode

+   /Length 69390

+>>

+stream

+ÿØÿà
+
+
+		
+%# , #&')*)-0-(0%()(ÿÛ
+
+
+
+(((((((((((((((((((((((((((((((((((((((((((((((((((ÿÀ
+ÿÄ
+%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyzƒ„…†‡ˆ‰Š’“”•–—˜™š¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒÓÔÕÖ×ØÙÚáâãäåæçèéêñòóôõö÷øùúÿÄ
+ÿÄ
+$4á%ñ&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz‚ƒ„…†‡ˆ‰Š’“”•–—˜™š¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒÓÔÕÖ×ØÙÚâãäåæçèéêòóôõö÷øùúÿÚ
+Ääþ•Ãjÿ
+øßRø‡âíD0¹×ï€n¢òAüÍÝ^\ݶ뫉§>²9oç[,º³žY„zDû^çĺ¯ü}kZd?õÒê5þf³'ø…áÄ:qç$Áÿ
+�‘ö|"åuûP:|Á—ùŠµÄ	L§ˆtѸàoœ'óÆ+ã*(úŒ;°þПd}»oâ}çþ=µÍ.nß»»�¿‘­HfŠt݉"ú£?Jø:¤†i �I�ŽŒŒAˆ¨xÒE¬Áõ‰÷…ñ]‡ŒüK`
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+*¶¥¨Zivr]ê70ÚÛF2ÒÊáT~&¼WÆßbˆ½¯„­„Ì2
åÊ�¿ðê~§CZS¥:�ÝFU+B’¼™í:ž£e¥Ú5Ö¥u­ºõ’g¿™ï^QâÏŽšE†ø|=m&¥8ãΓ1Ä>™ù›òZùÿ
+̯Bž
++YêyÕqòzAXí|Kñ;ÅZþô¸ÔÞÖݸò,ÿ
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€&´º¸³�g´žX&_»$NU‡ÐŠï<=ñźC*ËzºŒ¬w‹¼ÿ
+ø:Õ\ZÝ^°´×,¹ÿ
+ÑZø‹bÒª4
+×άÅI)€˜ÇR�àñ€zô?Y׃ø·]Óþxš;?é°”½�e¾†id~0�kJž_9ÏQÅz€¾$èž1w6š�kIÈÜÜ=~¾Â¸ñ*U-Q-Ü+…+ÒoÞ;jlˆ’ÆÑȪèà«+‚PE:Šã;Ožþ.ü#1O­xVm”o¸±Q“îÉíê½»qÓÃëïJùã¿�£ðÞ²š®™M.ýŽcQÄ2õ*=
êÔt½,.!ËÜ™åâðÊ?¼�åtQEwžpQE
+öÏôoƒÿ
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€;_ƒòS´úêÿ
+_éNUe•7Bíü/*~™àûZÑŸ$Ô™�x{Jn(ø®¶¼f5h–Œ
I¯aFÏ÷KŒþ™¬ËÛIìo&µ¼‰á¹…ÌrFãXk®ø3nn~&è(3òÊÒqþÊ3JöfíÏœo4¼Ï¯è¢ŠðO¡
+ðßÚsZòìt�'æW7S(þêü©ø[þù¯r¯�>1ë_ÛŸµI‘÷Ánÿ
+?ô#YW·³•Íð÷ö±·sê*( ð2kÃ=ãâoȲø×Ä !_P¸`¡‘«­ê×"÷U¼ºÄó<£''æb­T¯ Š²HùÉ;¶ÂŠ(¦HQE
+\£7$à($þUâþ&øûþ­</¥z—Q\¨Do÷NíÞ£ëZtgSáFU+—ÄÏw¸š+h$žâDŠ”¼’HÁU’Ià
+ÿ
+ÿ
+(¢ºÎ ¢Š(
+(¢»¯¥¿g
¶›á›�få6Ï©8dr"L€[ð¼_ៃn|gâíP2XBD—su3дzÄö¯°lí¡³´†ÚÖ5ŠÞÆ‹ÑT
+àÆÕ²öhôp4[~Ñ’Ö�u1£ø3Z¾'+WØs�œ�«ÿ
+Ö¿±þ"X£¶!¾Ñùîܯþ<~5õ�y¸rÔ¿sÚÁÏš’]‚Š(®S¬(¢Š
+(¢ºÎ ¢Š(
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
++¤ðoƒ5¯Þy:E±0©[™>X£úŸ_a“í^ûàÏ‚úŠRãX?Ú÷ƒœH»aSìŸÅÿ
+ˆ0
+¤ÿ
+Š(®ƒ˜(¢Š
+…ÚF3‰9Æy÷
+ù‹ö‚ñ·?#¶³�ãþʉQ^6 ¬�ó1t8*?
+ëÃÊu¥}<DiÒj­µ>�¢¾ZðÏÆŸi±jV
ÿ
+ÿ
+ÿ
+(¢€
+(¢€
+)—EoÍq"E³»U¤ž•ç> øÍáM)Ú;içÔ¥^Ö‰”ÏûÌ@üFjáNSøUÈ�HÃâv=&Šð{¿Ú
A"ÏäŽÍ-Þ?@ŸÖ¡‹öƒ˜æør6¶Þÿ
+(¢€;_ƒòS´úêÿ
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+õÙãZþÍñ಑±£CÉãzüÊB?àUåõsG¿—KÕ¬ïíÿ
+Õ¿hA+¤hR?£ÝLÿ
+ä
VaÖ586ù�ä{zl�†?#GÔóö‚þ_Äû–ŠøÂ×Çž+¶‹Ä:¡íÜ3ÿ
+?VþµÌßø¿Äz�?l×5)Aþrá q[G7»9å�‚Ù3íY$H—t®¨¾¬p*„ºö‘|íVÂ<|×9ôë_O4³É¾y^Wþó±cùšŽ´XÖFo0}"}±/‹ü5m—Ä::7£^Äþ…Mÿ
+˜uë¹
+(¢ºÎ ¢Š(
+>ó·e_rÎ+ãÏx–ÿ
+ZÌV‘FƒéÜûŸÓ¥rÔQ^¼b¢¬�Rrw�QV,lîoîÞÆÞk™ÛîÇ
+cø
+íôß„^2¾�öZÛ/o´LˆOáœ�ÄR”ã‰Øq§)ü*ç
EzU×Á_À…£¶´¸ glw*	öù±\N» jÚ
À‡YÓî,ݾ
ô=áJ5!/…ŽT§‰XÌRU�RA‚;W©ü8ø½ªh3Åg¯K.£¥³�ÓB=TŸ¼=�áŠòº(�8ÔV’
+u%MÞ,û³N½¶Ô¬`¼°�'µ™CÇ"†b¾jø
ã‡Ò5uðþ£/üK¯_<E1è³tÇ®=M}+^5jN”¹On…eV<È+É>*|$¶×–]SÉ®­ËIùc¸?É[ß¡ïë^·EM:’¦ïêS�EË#á+ëK‹¹moa’˜˜¤‘ȸe>„Tõçį‡Zw�,̘[]^5ÄWj½ÙUýGnàü«âÿ
+£ÜÅã©-®Ï¬è¯‹îüsâ«°DÞ!Õ0z„¹dðV5Ö¥}wŸµ^ÜÏž¾d¬ÙüÍh°«2y„zDû~çQ±µ8¹¼¶„ôý䪿ÌÖlþ.ðÜë¼A¤!Æpב‚GÓ5ñ=k
+(¢¨€¢Š(
+RQWgC\Ÿ‹þ!xw»£Ô¯ƒÝ�ÿ
+’ƒ¼]�­¼ñWÞ%Â×Ù×íÇÙîˆ\Ÿö_¡ýµwÕð]z7€~,k~h­¯µ-)x0Ìß<cý‡ê>‡#éÖ¸*àºÓ=
+8î•>óêê+Â>+Ò<Y§‹½äIŒy�·D}¯CÚ·k�§fz*JJè(¢ŠC
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€>LÕþ'xÆ
Zö(µÉ–8çuUòãà »Tÿ
+ô�…nü`âúùžÓEFÁ�žr:„öõoçÎ2~x=¼eâˆí%,š|ç]:õØ
+«>™=«ëÛ[xm-¢·µ‰!‚%‘ ÂªŽ€
+åÅb=Ÿ»μ&Ú{òØÎðç‡tŸ
Ù]Ê+Xÿ
+”¯™;FêèÅ]NC‚­}™ðÛÄ?ð”x3NÔœƒrÉåÜcþz/
ùõükã÷ÏÙƒV%u­Øí.£\ôþÿ
+È™h.|ð·¨õ£¿äkæ½Ká'Œ-/§‚)®¢�ˆYâ‘6È;’ç^­Tf½íã×ÂJ›÷UÑ[àÇü”íþº¿þ‹júâ'Äí#ÁÛ­°oµR¹Ñ0Âzy�ü?NOµ|óý�âo‡º…ž³}§›9Tº[¼Ž�ó”aœsŒçÒ¹+‰å¹¸’{‰I¤bîìrY‰É$Ñ:1­56ôW•8%©Üø—â¿ŠõÇuçO·9/Ýà{·Þ?�p³K$ò´“HòHÇ,îI$û“L¢º#ÃH«òœ¦ï'p¢·¼á]SÅÚ¨±Ò!Àn’W8Ž%õcý:š÷à&�hÚÆ¥yw6>e‡lIŸN„þ¢³©^ô“4¥‡©WX­œ(¯¬àø;à˜“¥I1ãæ{©Aÿ
+ÚÝÇŽËrÜþy£ë´üÃê;£åJ+éé¾øRAòO«EÎ~IÓòå
gÏðFcû�cQAŸãToäRÆR%ટ8Ñ^ùsû>.3mâ2>ì–yÉú‡þ•—sðY]ßfÖ4ù:ãÌWLút©b©>¤<%eöO¢½Fëàw‹a'Ëþθÿ
+×:Jg£—ÎÍÀïh¢ŠóOP(¢Š
+ùïâ—Æ)oLúW„äxmyIo‡'´ÝýO·}iR•Wh™U­Jò=â7Å]+Â~e�žÝCWy(ß$Gý¶õÿ
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+|2É©,.Ñȇ*èpTúƒL¢�žéð{â–·âY+É(—.vËžHûÝ;óï_@WÈ?ä§h?õÕÿ
+(¢µ1
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€44-gPÐu(¯ô›©-®£èÈz�B:ìkéÿ
+(¢ °¢Š(
+ªó9pø‡Eùs×㟆š‹Uåž±ê'‘wn
+(¢˜‚Š( 	¬­¥½¼‚ÖÙÏ<‹h:³1À™¯¶|)¢ÁáßXi6ØòíbXufüX“ø×Î?³Î‚5_}ºdÝ™›ÛÌo•þ„à5õy˜ê—’‚èz¸
+v‹›êQEpž€QE
+(¢€
+(¢€>sý§¯]üK£Ø’|¸mÀv˹ÿ
+›ØÑcª­õ>ÖÓücá½CÏ]ÓdcüiPß÷É9­ÔuuŒOBA¯ƒ*Õ–¡{`Û¬nî-›ÖYèk'€]$mÁý¨ŸuQ_鿼a§•òuëÉ
+±|œzC6;=zŸað§Æ9¼Q|ºE–ˆ ÕîÅ»¼þd!Â˜
‚ñÎ2q^Yªü!ñ–ž¥†š·h:µ´Êÿ
+C
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€'±»¸°¼†îÊg‚æˆpTŽ„W×?<o�4#MRØ»„qÏg윧"¾?­ÿ
+ç|woaðãAº¼™ ¶‡J·y$s…P"^M|ùñgâuÇ‹gm?K2[h‘·Lá®èÍè=ñ>Þ4(ʬÚ[åJñ£M7¹«ñkâ̺ٗHðÔ�—÷f¸W¸öÕ?Sôâ¼zŠ+Ö§N4×,O¥IT—4‚Š(«3
+(¢€
+(¢€
+(¢€
+(¢€
+ûàÇü“þ¹?þŒjøþ¾Àø1ÿ
+8ÿ
+(¢€
+(¢€<sö˜ÑÍ׆4ýR5ËYNcrD�uÿ
+ø»^Ñï´VãNÕ h.¡l2ž„v ÷±¯SRñäìy8êmOŸ¹ŸW4�BãIÕ-u'Ùsm"Ë{ƒž}ª�ÚÕÎí©ö§�|Qgâï[êvd+’xs“ƒªŸæ=AÐWÇ
¼gwà½}.âÝ%”¸K¨3ĉê?ÚGåÞ¾¾Ó/íµM:ÞúÆUšÖᑺ÷¼lEe-6g·†®«G]Ñf¹?‰¾‹Æ>žË
+/b̶’6ÈB}CõÏjë(¬c'to(©'|s¶×Áp�Ñ1GF*Ààƒø×Mðûƺ�ƒ5u¹³c-£�.-Y¾YWú0ì§Û~Ѿ]7Ä6úݪmƒQf
+¾‹¯=ø£ÿ
+ê%Rù®´ÙO¿�rgýåÏê|çã è^*ÕtÂ[k‡DÏtÎTþ*A¬jõ^”ÕÒ±ãÇV›³w>åÒu�3X‹ÌÒµ[ÄÆI‚U|}@éøÕúø>	¥·•e·‘â•yWF*GЊî<?ñcÅÚ6Õ‘¾„Ë;Õósÿ
+º-Ï*¶tµz£éÿ
+RQWg
ñëÇßØÖ-áý&R5¤ÿ
+(¢˜‚Š( Š( Š( Š( Š( lý�<bm/ßÃ7òÿ
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+±§ÈB×þº¯ó^¬ißòµÿ
+*g5i	Êš,ûsÂÞ%Ò¼Q¦­î�t³EÑÐðñŸî²ö?϶kb¾ðþ»©x{RKíêKk…î½z0èG±¯£¾|_Ó<B±Ykf=7U?($â�û,~éö?�5åÖÂJÇTz´1‘©¤´g©ÑEÈvœ‡�¾è>.F{ûo&û[¸0²Löaõü1^C¦ü'Ôü5ãí{ׂëDŽí$kÀÁ•ù”:“ÆX
+r›´P§VÕäÏQ»º·³·{‹Éâ·�^I\"¨÷'�X7Ž|5­jÙúf±mqxrV1‘»v’
+ýY€þµN½;özÑ¿´¼~—n¹‡N…§$ôÞ~U_˜Ÿø
EIòEÈÒ”9æ£Üú‚ÊÚ++8-m×l0F±"ú*Œ
ù
+šŠ+Á>„(¢Š
+è«àÁÁâºï|FñV‚,µiä�å�ÏvHü®Ià‘��Ì?�}Çص[Q±µÔ쥴Ô-⸶”mxä]ÊEx�‡¾?!Ùˆt‚§ø¦²|�ûá¿øªô­â7…5½‹i¬ÛÇ3tŠàù/ŸO›?L×,¨T†èë†"•M8¥øi7ƒ|o§ø‡ÂÌòé‹.Ë›6$¼q?ÊÅOñ€q׎õìJC
+¬vÔðZ+¨ñO€üGá’íªi²ý�åæÞEÿ
+(¢™!EP
EPkðcþJvƒÿ
+¿¯ÈsQÿ
+ãÆô/ßß#üi{HwCöSìÎJŠëá\xÃþ…ûïûä�ð®<aÿ
+ãÆô/ßß#ühö�îƒÙO³9*±§ÈB×þº¯óÒÿ
+²)'hàgëC©è)ögØQEx'Пë³›�oPœœ™n$|ýXš£Eô)Xù¶ï¨QE(¢Š
+8_mÉ…—³aãbxȘç“ÛšŽtê®mŽªØˆU¢ùw<–•X«RC�GPi(¯Lò�PðOÆMwAÛjŸñ6°^13bdÏßèÙúŠ÷Ÿxÿ
+(jû�6¶,Þß]ßI¾öê{—þôÒ?™ªÔQ@
+98õGÀï·…ü>׺„{u]@u#˜£ê©ì{ŸÀv®3à�Ãi ñˆíÊ"%•´ƒ�Q#OAøúgß«ÍÅ׿îãó=<Ç÷’ùQ\¢QE
+
+=Îì/7.ƵQ^Yë…Q@5‹µM&òÂãýMÔ/ñžýkáÛëYl¯n-nlÐHÑ8ôe8?¨¯»käÿ
+(¢€
+(¢€
+(¢€
+(¢€4´½{WÒqý—©ÞÙŽ¸‚vAùŠö�‚W¶¾6Ô/—ÅÐÁªê¶J’ÚÏt�ÜG’
+û€ÄœòƼ»OƒÚßöÄ-*wm°Nÿ
+q‹“I
+RQM³ç/�þ&>!ñÅÌp¹k-?6°ŒðH?;~-ÇÐ
+óêRI$“’{ÒW½¨EE=9¹ÉÉõ
+(¢¨€¢Š(
+(¢�Š( Š( Š( £¹‚+«imîcY`•J:0Èe#’Š
+(¢€
+(¢€<Ëöˆÿ
+(¢¸Îࢊ(
+täž(åŠå§gGPC~õ—¿v¾Q¯°>Çå|2ÐWh\ÄÍ�ï#þµÇŽ~âõ;°
+õ¡ÊxÓà†•©™.|97öeÑçÉl´šþÕá*ð–µák¯'Y²’'	0ù£“ýÖ~}«íj†òÖÞöÚK{È"ž	9P2°÷ƒ\´±s†’Õuppž±ÑŸÑ_HxÛàv�~çÂó
>äóöyIh[èy+ú�a^â�
+k^¸òµ«	mÁ8I~ôoôaÁúu¯B�xTÙžm\<é|KC
+Š(­ŒÏÂüMá�‘Úߵ͢ñök¼È€zr¿�ì~øé¢_„‹^¶›L˜ðd\Ëü†áù­|ÓEaSN¦è觉©Og¡÷.‘¬iºÍ¸ŸJ¾¶¼‹»C l}qÓñ«õð�¥ÕÅ•ÂÏg<¶ó¯Ý’'(ÃèG5Üè<a¥mS¨­ôCø/#gêÃ
ú×$ð2_;a˜EühúÖŠð�#ö€C…Ö46_Y-fÏþ:ÀèUÚiü}´I5›·E¹�‡æW ~uÍ,=HâiKiü[ðÏÃ>&i&º²û5ëònmO–äú‘Ѿ¤f¼›_ø«[–}R¶¼�¨Žpb§p1^ç§x«@ÔTkN›?·	»ñÈ­•`ÊH*FA
8׫KKŠxzUu·Ü|u©ü7ñ~œÌ'Ð/dÞÝ|àïŒÖú6§nXO§^ÄW®øqùŠû–ŠÝc¥Õï/�F|S¢xCÄÜ뛤^JN>sTõc€?:÷†ÿ
+C$Ì1SŸ¼O¯Zõú+:¸¹ÍYhiK
+nïVQEr��EP
E2i¢�7Í"FŸÞv
+ÑQ¨ö‹3ué­ä�Q¢¼+Qý a
+´ïÜ(¢Šä;Š( ¼_öšÑ¾Ñ éš¼kóÚL`��î8È'èWÿ
+Çwu5=EViIƘʧär}ϵz5yªÞÒ\«d{XJÎ<ÏvQEr�aEP
EP
EP
EP
EP
EP!ñÀ:_�,JÝ ƒPEýÍâ/̾Íýåöü±_)ø¯Ãš�…µ‰4íZ.eå]yI³)î+íºç<sá
7Æ:A²Ô”¬‰óApƒç…½G¨=ÇÈ×Vé»Kc“…UW4w>.¢·|eá}GÂZÔšv©|ÑJ¿rdìʧj¯Y5%txí8»3µø1ÿ
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
++gDðƹ®‘ý‘¥^])þ4ˆìV<νEøâ;°¯©\Ùiêz©c+�Á~_üz³�XCâf°£9ü(òJ+é-/à&…Ó©jW÷l:ˆöħðÁ?­u?	üh 
faÕ¦šG'ð-�ÈVÆÓ[jtGUïd|‹E}­kàßÚ�äxIR?‹ìˆOæFjôz&“ß/L±]½6Û ÇéY¼zè�_.²>¢¾ìû¯üûAÿ
+(¢€
+(¢€<Ëöˆÿ
+(¢¸Îࢊ(
+(¢€
+(§Ã“J±Â�$Œpª£$Ÿa@ÆQ^ƒá�„~*×
+¼–cM¶=e½Ê{'ÞüÀõìø)áí#dÚ³>¯t9Ä£d û ëø“ô®z˜špës¢ž¥N–>~ð¯„5ÏÜyz5Œ“ 8yÛå‰>¬xü:ûW¼xàž“¤˜î|E"ê—ƒB
!úuÇÚ½bÚm Hm¢ŽPac�Bª�`:T•ÃW9è´G¡Kk-XØ£H£XâEHÔaUF
+
+(¢»N¢Š(
+i3ãî^ìνý–º0®ÕQÏ‹W¤Ï›è¢ŠöO(¢Š
+ê:å�¦£ª_CccsÍÆ<É]`¹w?Jö/
ü.𦂢ÓRîáåµáó[>¸?(ü
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€>¢Š+èOš
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+ûàóùŸ
4Æ1
_ÉØJøò¾·ø/›ð·Fù·2yÊ}¿|ø–+‹ð/S¿
üGèw´QEyg¬QE
+—�¦»”°5_cäÊ–ÞÞk™vÑI,‡øcRÇòöe—�|+fAƒÃú`aнº¹‹[Ö¶¶ö‘ùv°EÝ��ÈVoº#Håï¬�Ž´¿‡ž-ÔÊý—@¾
+(¢€
+(¢€
+(¢€
+(¢€
+úgönÖþÝàû�.G̺tçhô�òÃÿ
+¹ñPç¦üŽœ$ù*¯=ª(¢Šñ�p(¢Š
+Ùñ�ïö�‹µ«Ìåf¼•×ýÒç¦+½êqå‚GÏT—4Û
+(¢¬Ì(¢Š
+
+?ôú׈W¤þÐWiø—yr- †í•ßÿ
+üM|ùEs¼-'­Ž¥‹ª•®}ÿ
+üMðÐVŸô/Ïÿ
+üMðÐVŸô/Ïÿ
+üMðÐVŸô/Ïÿ
+üMðÐVŸô/Ïÿ
+üMðÐVŸô/Ïÿ
+üMqÿ
+(¢€
+(¢€
+(¢€
+(¢€>Öðüˆ~ÿ
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€<Ëöˆÿ
+(¢¸Îࢊ(
+úŠ¼—ö‘ÑþÛàÛmI2ió�Ç#“
+ñà•Ó…Ÿ-Eæsc!ÏIù2ÑEìQE
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€=¯ö`²ó5Ýnûoú›d‡?ï¶ö�}^5û1[ð¶­uŽe½ß(§ÿ
+GFø±>–¢Š+Å=ТŠ(
+ÿ
+ÿ
+ñÿ
+áÿ
+(¢²5
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¨/É[’¤‚#bíÁ …®$ó®%”ŒobØôɨ袾„ù°¢Š(QE
+(¢€
+(¢€
+(¢€
+(¢€>Öðüˆ~ÿ
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€<Ëöˆÿ
+(¢¸Îࢊ(
+Þi’2ù–î‚Q÷OÓ±ö&º:)ÆN.èRŠ’³>»·šÒêkk˜Ú9ásˆÝU�Áñ¨«Ù¿hß	ýƒX‡Ä6qâÞøùw,Àpà@~j}kÆkÝ¥QTŠ’>~­7Nn,+WÚþ¥áÍN;ýéíç^¸û®?ºÃ¡Õ•ESI«2iÝ[|1ø“aã;qo(KMe2[Äž­=G·QïÖ»êøJÆîâÂò«9ž˜X<r!Ã)Å}Wð‹â^3ÓZÞódZÕ²ƒ2«ÓÌQüÇcõåâpÜžôv=l.+Ú{“Üô*(¢¸Îࢊ(
+Ÿ7c‡>Xr÷1¨¢ŠõO ö_ÙŠè'Š5kRqæÙ‰
+ã¾0iŸÚ¿5¸UIx¡ûBã®c!Ïèük±¦MO‘J¡ã‘J²ž„ªŒ¹d¥Ø™Çš.=σ¨­/érhºþ¡¦K�Ö³¼Y=À8ñ?�f×¾�ÕÑó­YÙ…Q@‚Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( ¾°ø
­�_áí¤Nû§ÓÙ­×”ü6�?
+ù>½“öiÖ¾Ëâkí"GÄwÐù‘ƒÿ
+(¢¼sÚ
+(¢€
+(¢€
+(¢€
+âþ3ÿ
+ú±óop¢Š)ˆ(¢Š
+(¢ºÎ ¢Š(
+¤9&â})óÁK¸QE�EP
EP
EP
EP
EP
EP
EP
EPñ“ZþÃøyªJ�¶{•û$_WàþK¸þò{�í9­ùºŽ•¢Dÿ
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+ØðŽ®Ú‰ôÍQs‹YÕØ¥3†Š’?Ç¢“WVcM§t}å‰,i$lV=
:¸‚ú×ößÃÍ2Itöªm%ÉÏ)Àÿ
+ãÆô/ßß#ük鯄Óý£áÇ‡ß âÕS�öI_é]my²ÆÎ2jÈõ!�„¢�ÙñÇü+�п}ÿ
+ãÆô/ßß#ükìz(úôû þχv|qÿ
+ãÆô/ßß#ühÿ
+(¢˜‚Š( Š( Š( Š( µ¼
ÿ
+(¢€
+(¢€
+(¢€
+(¢€;ß�_òUtOûoÿ
+¾ÊjGÛÔU-SµÖ´›MJÂO2Öæ1"cØûŽ‡ÜUÚðÚ¶Œ÷“¾¨(¢ŠQE
+(¢€=›öb¿1x›V°-…¸´ãÔ£€?G5ôu|£ðãÉø�§Çÿ
+(¢¹À¢Š(
+žÎjGÛtUm2úßSÓí¯l¤Û\F$�ÇpFEY¯cßÜ(¢Š
+(¢™!EP
EP
EP
EP±~Ì×Ë‹u&l}¦Ór�VF~LÇ玥ã�…§öGÄ=å›lm8�Éé¶@PçþúÏá_cו��ª_¹ì`ezvìQEq�¡EP
EP
EP
EP
EP
EP
EP
EP
EP
EP
EP
EPÇ_-M§Ä�~6-reüúrê´U‘¶øŠÓmÀºµŠ\úã)ÿ
+ÿ
+å«ÞŒ”’hùéEŸ°¢Š)’QE
+(¢�Š( ý¨tÿ
+(¢€
+(¢€
+(¢€
+(¢€:ï…:ððïŽô»ÉX-»ÉäLO@�ò’~„ƒøWØÕð]}ƒð“ÄëâŸÙÜHù½·f¹çz�óÀ†ÔŸJóñÔöš=,MàÎΊ(¯8ôŠ( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( Š( †µïùj?õó'þ„j…_׿ä9¨ÿ
+’{H:)ÿ
+(¢€
+(¢€
+(¢€>fý¥æó<wgbDZz=	’Cü±^I]§Æ=Lj¿õ™Q·G¢Ý0r?vŸÔø×^åËN(ð+Ëš¤Ÿ˜QE©‰é_³Ý±ŸâU¬�sä[Í&}2»öjúª¾xý—ìKëzÝþÞ!·H
ÿ
+ùïâ7Æ[ícÍ°ðÏ›a§œ«\&”{p}9÷+:T'UèkZ¼)/{sÒ~&|WÓü,%±Òü»ídpS9ŽþÙOû#ñÅ|ѯkZ†¿©K«Ý=ÍÔ�Yº
è@=…g’I$œ“Þ’½Z4#Ii¹ãÖÄJ³×`¢Š+c
+(¢»¢Š(
+(¢€
+(¢€
+(¢€
+(¢€
+Ùð~½qáŸØêÖ„–�òéýô<2Ÿ¨Ïó¬j)4š³m;£î­*þßUÓmoì¤[\ƲÆÞ Œþuj¾zýž¼sö[�á}NOÜLŬ��ç“Ðõùõ¯¡kÄ­IÒ—+=ú5UXs ¢Š+#P¢Š(
+(¢€
+(¢€
+(¢€
+(¢€
+ôƒ2ñ@K·Û¥ßb+�D?Âÿ
+(¢˜‚Š( Š( Š( Š( µ¼
ÿ
+Ïñ“m®è·šeòî·¹ŒÆÞ£Ð�ppGÒµ£SÙÍHʽ/káº+OÄš5ׇµËÍ.ýq=³”':†Ä`�­fW¸�ÕÑà4Ó³
+(¢�Q@Q@Q@Q@Q@Q@¯�¾$kÞtŠÚµiÀüÖs’W잪~œzƒ^ýá/‹^ñ
+Ydôû]Ðãê©ýIü+Å|IªË®k×úœå‹ÝLòáŽv‚Iø+6šÃEËžz¶'Š”b¡
4uÍkRׯšóX¼šîàÿ
+Ú†"~Ñ)=qh*mÅj|¹EWªxáEP
EP
EP
EP
EPÑ?³&µçèú¦�#|ÖÒ‹ˆ�þëŒ0B ÿ
+�r=�}3ð“⥿ˆa‡J×¥H5¡ò¤‡åKŸ§`þÝûz˜éT•`T�G ŽÕ•j1ª¬Í¨×•t}çE|çðëãUΚ�éþ+Y.íW
+·‹Ì¨?ÛÆ=úýkßô}ZÃZ±KÍ*î»gèñ6qì}±æ¼Š´eIûdzJ¼*¯t»EVFÁEP
EP
EP
EP
EP
ECYÖtÝ×í:½í½œ=šW»Ø¤û
+i_D&ÒÕ—ê–¯ªØhÖ/yªÝÃil�d•°>ƒÔûkżiñÚ4ó-¼%kæŸlº\/ÕS©ú¶>•âšö½ªk÷iÖo§»›±‘¸_e
+ñ;ûË�Bî[«ë‰n.e;žYX³1÷&«Ñ^�:Q¦­y•+N«¼˜QE¡‘¯áù4_úþƒÿ
+(¢¸D(¢Š
+(¢€
+(¢€
+(¢€
+(¢€
+ú“öy×WTð(°vÍÆ™!ˆŽû–Cú°ÿ
+£ É=€îhnÚ±¤Û²,xOÃ÷¾'×m´½9	–Só>2#NîÞÃÿ
+(¢€
+(¢€
+(¢€
+(¢€;_ƒòS´úêÿ
+ª:’z
+}1û7èßað\úŒ‹‰5ÉSë|£ÿ
+°9ƾ§ø=ñ/éÂÇQuMrÝ>qÐN£ø×ßÔ~=:|©V´Ëû­/P·¾°™ º�ÃÇ"õR+ôUXÛ©½
+ÐûªŠâ¾xî×ƺ>ã²V
+½E	ÛQ5}ð…ÔZÝMo:í–'1ºú08"¢®ÿ
+9'Vu>&QEY˜QE
+(¢¸D(¢Š
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¯@ømðËSñ„«s.ë-šå—™=Dc¿× ý*g8Á^E›åŠ9¿x_Sñf¬¶:DÛƒ$­ÂD¿ÞcÛùžÕõgÃßi¾Ó|«Eó¯¤ín£t‡Ðz/ üòk_Ã^Ó|5¥Ça£Û,/'³·vcÔŸóÒµkʯ‰utZ#×ÃáU-^¬(¢Šå:Š+ŽøŸãkoè-9Û&£8)i
þ&þñÿ
+(¢µ1
+(¢€
+(¢€
+(¢€
+(¢€;_ƒòS´úêÿ
+FAíE
áß>­É›VðŒJ“òóXýL~‡ýžžž‡çùcx¥xåFI•ea‚¤uz×Þ5ç_þXx¾'¼²Ùg­ªñ0,Øè$òÝÔ{�ŠîÃâù}ÙìyøŒ—½O~ÇÊV†»£ßèZœ¶µ³Û]GÕ¸ìAèAõŸ^šwÕ[MhÍ?kwÞÖ-õ-.cÌ'#чuaÜJúïÀ0°ñ–†—¶dGp˜[‹bÙh_ÓÜÇ¿×"¾1­ïø§Pð–·£¦¿O–XIùfNêßÐö5ψ ª«­Îœ6!Ñv{kQX¾ñ%‡Š´85=2MѸÃÆOÍã”oqúõ­ªñÚiÙžÒjJè(¢ŠC
+(¢€
+(¢€
+(¢€<KöœÑ¼í'IÖc_šÞV¶��î¸Ê“ì
+Ÿûê¾x¯³þ%hßÛÞÖ,n• 2D1“æ'̸ú�ã_W­‚Ÿ5;v<|t9jsw
+(¢ºÎ ¢Š(
+(¢™!EP
EP
EP
EP
EP
EP
EP
EP
EP
EP
EP
EP
EPkðcþJvƒÿ
+uåT«*Žò=ŠT£IZ!EVf�EÊ|AñÆ™à½7μo:ö@~Ïh‡æ�úŸEõ?ÌÓŒ\�‘2’Š¼¶-øßÅzw„4W¿ÔŸ,r°À§ç™ýõ=«ä?øŠÿ
+(¢¼ãÓ
+(¢€
+(¢€9¿x7JñŽšmµ8±2äÜ ýäGØ÷ ðkåox/Uðn¥ömJ=öîqtƒ÷r�oCê?‡5ömP×t{
{L›OÕ­’æÖQó#v=ˆ=A¢ºhb'g±ËˆÃFªºÑŸ
Q^ƒñ?á¥ÿ
+�ž²&YñÝÿ
+Ÿóު׭¹ä5`¢Š(QE
+(¢€
+(¢€
+(¢€*êº}®­§\Xj¬Ö³¡I‡�|×Èßüyà­hÂá¥Ó¦%­nqÃî·ûC¿ç_aÖg‰4;è÷f©–ÞeÇûHÝ™Ob;èÃ×tŸ‘ψêÑó>¢ºïˆ¾Ô<«y9šÆRM½Ò®Aè}wÈ×±)+£Ä”\_,·
+(¢™!EP
EP
EP
EP
EP
EP
EP
EP
EP
EP
EP
EP
EP
EP¿„?älÑëúýµöí|Eáù4_úþƒÿ
+¿×Þ¸ªãc!©ÝK)k=.øcð�<7¨[kÍáŸS‡-0qd‚Iå�'Ð}k×(¢¼ê•%QÞG§Nœi®X…QPXWñ¿[þÅøw¨l}³ÞâÎ?}ÿ
+(¢€
+(¢€
+(¢€>׿ä9¨ÿ
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€9oøAñtGûRÓmÐK¨~IWñî=ŽEx�~ëúI>˜§V°†�z£ý¤ê~«ŸÂ¾¦¢·¥ˆ�=Ç=\4*ê÷>
thÝ‘Ô«©ÁR0Aô¦×Ù¾.ð?‡|M¾±c˜ýª3åÈ w,:�®E|ï�ðÿ
+(¢˜‚Š( Š( Š( Š½¤é:Ž±p Ò¬no&þì1—Ç×+Òü7ð;Ä:�I5y­ô¸	V>l¸ÿ
+<š·|5á=sijlÑtéî8iq¶5ú¹ÀL×Ò~ø?á]¤“Û>§r¿ÇxC.}�|¿˜5èQF�ƱĊ‘¨ÂªŒ
+3ëî}êåÃR¬ê|Lï§FþQEfjQE
+ï«Èì>Má¿ÚkÖ/)þ{kÅÜ2~eܽF;éÍzåsÖPæ¼6gM>[TZ ¢Š+#`¢Š(
+²´¹¿¹Kk+yn.$8H¢BìÇØkÖüð?TÔJ\xšoìÛSƒäFCLÃß²þ§Ú½óþÒ<9käh¶Z!fEË¿ûÌy?‰­já©�“Ò…,c¬ÝÌOø[Fð½ ƒE±ŠŒ<¸Ì’¼Ç“ôé[tQ\M¶îÎä”U�QE†QE
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(®«Ã¿üOâ­§é7ÿ
+uW1ÔQE
+(¢˜‚Š( Š( Š( Š( µ¼
ÿ
+kÁôŸÿ
++ëeøAàp ±©»Ÿ'ÿ
+Šû2ßá÷„ 9OiÇœþòÿ
+
+ø¾È±·‚Òý9·œ�£í®SQðg‰tÜ›ÍQ�GWìËÿ
+kÁôŸÿ
+ZÍãåÑÇ/�Y4i?<Es†Ô/,,”ÿ
+Àdÿ
+*: ¢Š)(¢Š
+’Š*
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+(¢€
+FAíE
Æxƒá�„õÇint¨à�¹2Ú“úà|§ñçz×ìÿ
+¶§ª_]°ê#
+ŸÃæ?­{”±U_SXá)G¡Èèß
ü%¤m6Ú%¬’/;î
™³ëóç…u‘F‘F±ÄŠˆ£
+ª0
+°QE%Q@Q@Q@Q@Q@Q@;ëÿ
+endstream

+endobj

+

+5 0 obj

+<< /Type /Page

+   /Parent 4 0 R

+   /MediaBox [ 0 0 612 792 ]

+   /Contents 1 0 R

+>>

+endobj

+

+6 0 obj

+<< /Length 7 0 R

+   /Filter /FlateDecode

+   /Length1 9040

+>>

+stream

+xœÝy{|TÕµðÚûìsæœyO2“LfHf&“÷ƒ„I&!�0‡¼Ã�d �	IÀ¢Á*©<D‹U[ô³zïÕ>ˆAd,-E[ÔÖ«¶·Ú«ô³•ÚïÖÚ{•™ÜuNÂCK¿ï~~gfï³öÚkï½öÚëµgû·v‚vòºMá¾Ü{÷N
+À
a{ö†žíëÿ)˜r7
+Ïˈƒ{ûüà:º^Ø
ûáaxÞ$ÉÓ¸©•Lqð1èé2@ö�ò n‚
¸
îB¾Î‘…ˆ«@ÜbÄöÃDì	87ùwRµBºa3<�?Qq9ˆ]ˆEÜ4݆»áÁ?ÃIäk9»ºÁ|·SõÀ |„³½B¾EÏÂpÌ.Á
+ZÔÓàB‹)5Jû€XÇä_ÑfÖÒÏècô^8B»a¡¬/-ÉHwÅÇô<£yîq.½Æ[ã
wíq×t¹÷x«Û«óó‚Í+jª�O[~žÑÕîqÒÝÖeßS£ŒÇåŽÓô¥t�ËßlGÀ[íñx°'þZÏñÉÓ÷\×õ4àZ]ËV(K*¥½Ë=ΰS­œˆ™æ@éëjÇÚ[�Üÿk½µí{öÔzݵ{Ú÷„�Oî\ëu›½{ž÷ôÕ´»ÇañŠq‚øç¿é¯½§mÜÜÞEæàÎ&j›WœÎ\ê
.Y¹Â]³§}zÞiÌlµT1p
 qsø²>'PJ)xõ7¯ªÕ¬B�ÅcIÇŠ Õ;yøRyè$àžÍ!<#3žO«\1ÇZ‘´“—™:Mš¤bИ5T£‘ìÅZNM—‡Zln(ú€A¯Çä	xh’Æ*õ¸ÍŸG}!óg¡K!.Å•„.Í*$!b4F’K,^‹Ç—�˜B4Å™3D‘¯¤ta‡jæ5¾ñèÙ³äþ»ž¯o	½VRZ¸cõKÿ<t¨  “™Ö=9¯±1úKþB~aÙS»ûÓ\Îès
+»Ñ·�D—vê)²…"Žò„?ŽQBÈ3Š^TxAx-Eä–Hi)tO^dílì¸ç•²œÁr
…l®¡<¥Š
Á”•†Å	݆öÄ!ÃpŠ‘”»\¦6¦Ói&I¯OrÀ~�"‡€‡sgÜ®+Û¾TT
+:}Öa~Ô2èÞž5˜»‡Œv9vgÝOrêÀhÏf)ÜÎT’šš1/…i4ºyœäÉvÚ�NðØ5°oZ\kü£~^sW±ù¢*¯2ó¥‚KW´AXâ”°ÐPN™þ"U-üÅ™Š¤ð«HnJT6¯*:›5QV	ÜÛÑ÷F^¯Õ¶½Û1rOFFOÖíþûv”Í™ýÛ;^­ÖÖ¿¶nþܜÕÅ·çÞQWG*|i®÷ͪ¦Å­•©©vÉnÌ|`sÍpaAé,ïËþ†¦E5^o‚Þ®MiX€²Ú8ù{î/ìðÀry¾ÉÛ䥹$Õ˜“�fŸCüÆ9	~{iÒV›æÛÛH‹q#é4“
c¼Ùl
è™Çãp’	öz�Ò®TTóçåW7­î7]ÕeƒŠæ_·»„)Ó/-âþ²úÉ5Û_©oXLòÿÖ~¢QÛúÜòGO<ûxÙ¶‚ìz›¶6ßWW_ÿëûP÷g—d^¨ªûü+ï¤ØmÕŽ?`[ÐŽu�óä¼¹Æbs±unBÐXm®¶DS@b¶
+¯!égŽ“ÔŽðú9
Ü°º¡1øÑ¡ïþ®nAÝÚµ¨=ÌWcî¡Á<ñÛòFY"„
•$­Hwc·b�¤åv3¬</ŒÊjemŸ–ÓJZ�#ÃïE“ž‰ãõ�eP	+1‹ı°Y�]Z<ܾ‘oá;ù¼†ïС—F)„Ð+ã!†ÊeWR•ÝæhèôéÓS/ñ4	
Zçá¼Ä/~õ›£#_¦)D‰}û‚<ó.Ñ÷¢éS–Ïõc¦³eÌ·�Ó£ƒV¥5ñ^ü¬²µÏJõ‡4¯¦
%iP¹À2O½g´\¿6§©dùcÁH¤ïûm³òò¸Z©±âòïY艕A^£èËÓè	—ãÊ	P*§ê„$Í°†£¼Mâ-•<Fx+÷ƒv—½ÝNuqwâ”÷‹úT‹+WVøªÀE××RÄ–GÖühãøK³ÃÙÚÜðÃ`d$¸øíóô—Ñ;[¶çæe-œËUN휭A? ®ÏÙl[mœÙ VÆ3#j¯ˆËß;µ¼Yç0Œ%NeLŠû-W
þkìÚæmlM$Ξ´:Øø/ŠƒŠ¬{öÇt¤qwFNöUgôI=±6V…ë{11Ý,/ªˆŸ—ãË›SX-ãæTæW‘¿2¡›ôðÝ	#|ŸÛ’ÊÇylY²ÓeÎ0s¾McˆàI‹s€`‡ƒ>—/ࣹNû®YŠÇ5x-ºt%Ë+(voϵ�Ž1­‚(‚¤–«!ƒœåº°Çªb±ØgmO6kgžëh¿ÍëMiyxèÜ—ÔÎþ¦ð
úñHðvùá‰;l~b4öaìó¤ÄÓqþ™Ù™›«×WWѸ°°®)3«ðò¯h85ùüÙÈ™€¢J&?ŠÖ$A±œÂû)Õ¿ÈiDàšt”ã CgÒÊ[5=ÚéŒu:§›JW‰GuZ˜£³Ñ¨‰îŽn?Ë=Ç{b7�G‹pV‚÷CœuL€»äù,[(aeB-k„l¾Œ—ù%|;©)™ƒ£\dr³¡”[
+mb§Ð-Š¢UgåOÁ€M4#‘Qž£¢IëÒ6iGµV
±²UMü(OyLb/•™?TLL	½SÖ|	¿Jœ•”ßT{¾ýìlô?Þ#�‡1¸F¢tˆk‹®§){k@Ç=ŒÉ›\2—Grh6—Î2ø41WWLæòÕ$È/'+X¿\·‰®eb·Ô¡½Y·�ÜJûÙ ¸CÐëRôŠ«Ò8^
+BåÑò+w1EűІOñád’üå÷T=­À»†4p�<Ÿ	ÅBµ°XhúAâ4|—È×’n,'Û9‰j”ÓåŒc
PË(p•UO»p5†L�?©Óñg��xØ‹²&‹g5¬“me<û†ˆÚŠÎc¹’©}%�žÒ[oüTŠ¾|>Võ²œ¬d¡/4ä
–yù%®\9ë›ðN¸mL'åÃuÜn;LjŽ2´^ÔëIgç“Ä$]6—-fëæÒ2ÎÇŠÅr©H;G¤Õ¬Z\(Uiƒº²’¶°•ürM›Ô¢í$Ý´“uóÝR§v”ö±
qDê׎èfêÕXQ¹9Ž Ø¯Óo´Ï¹P,¡Z†­‚
+›•uéÛ*�p�âߪÒüM…mÊ<˜[+p‚‚çâU8IËMñãTiòU8Y¥©Pa—
+7¨pšJߢÂù*¼N�E•gn‹
+OÍ«ë§ðw«°Â?pßZ¶½¯s}x]§;¼¹ÃÝ»ŸtÏ*++q7n\×ß;л~Ð]ÕÛß×ÛÜØ»y¦{~O�»yㆮÁ
wsç@gÿ¶ÎŽÖÎþŽðæps熭=áþ«ãæLãÝÓJ{
+4¨î¿û7©œÜŒ8e¥ÿ‰Ô®?Ùk°ÒÚxþ¾B׃k_æê©ÿƒ9{�fûõm–Âf± «cX—}e…Í8ï?šeÖÛÔ}+š7ñýx›U.þñ˜k0Z¨úL.„¡ý­^ƒ'²}%æ	÷„<±x¢obçÄ£ãç'ޟОžøóUHúžM´—¸ª‰©ÕÕJ›ZÖ´ÐÞeä‘eG–Ñ%KYóÒ¶´ÙÆ44³Ú†RV×àcõXüe¬<àc�
+6/àaU�dVhfó±ÈX~óu0L™¿x+ö§°óÅïÿ¹˜;>ù§£Ï¤×—Ÿ|ÿè3f/¾ÿ$ž‘L%Ï8êÙ¶£wE¶þ|ô¨Jñ…<yTJ+9j­gw�ų¾ž¾!júÎoSù»	I%òwœ%ò‰Jt–ܵ+ÞeºÓ´Ë´Ï´ßtÀu§kŸkÁ¾�»vŽí¿÷À®»Œ™äoHæS¿«ŸÊ[$}‰iqŸ#ÀÙOÏR÷OåŸRXK`­y-•Ã�†©iÉ·ZXž5�åZËXŽ5že[mÌeMaws[ËÙËŽæpÖ1§£œ9¬>fCºxd7Îê`,}V"[çW•˜Œ9.ˆáÅ K&èÒžº$,|$èb/]܉ ‹>t‘cA<t½x&ÇuúTŽë¹5âq=Âãzî˜ÇuæÅ—§NÿÄyáÇúÏŸÔ{î¸ÞÙ¡ò‰�'¨éXàXÓ±ÑcÌt¬
+¶ÞhM…—A¬sÿéâV

+endstream

+endobj

+

+7 0 obj

+6313

+endobj

+

+8 0 obj

+<< /Type /FontDescriptor

+   /FontName /CAAAAA+Verdana

+   /Flags 4

+   /FontBBox [ -49 -206 1445 1000 ]

+   /ItalicAngle 0

+   /Ascent 1005

+   /Descent -209

+   /CapHeight 1000

+   /StemV 80

+   /FontFile2 6 0 R

+>>

+endobj

+

+9 0 obj

+<< /Length 375

+   /Filter /FlateDecode >>

+stream

+xœ]’Ënƒ0E÷Hüƒ—é"›G	!%$H,úPi?€À�"ƒYð÷…¹¤ªº
3síƒÇI²s¦›Q8o¦+sEÝèÊÐÐÝMIâJ·FÛ–T¢jÊñ�ü*Û¢·-gîϧa¤6Óu'¢È¶„pÞç‚a4“Ø«îJO¼øj*2�¾‰Íg’c)¿÷ý7µ¤GáÚV‹Šê%ó¹è_Š–„ÃíÛ¬š+šqÚÎ�J>¦ž„‚ÄÙÊ®¢¡/J2…¾‘mE®‹(McÛ"]ýÿêyèºÖåWa–j9W»nàÆ(†0að
+Å¿WÂÇ;2¬> àp€Z|”+=ÜçãÞ–«åiüœònÌ<3<´<+Ë”4š~»ïzî[?0õ¼Bendstream

+endobj

+

+10 0 obj

+<< /Type /Font

+   /Subtype /TrueType

+   /BaseFont /CAAAAA+Verdana

+   /FirstChar 0

+   /LastChar 33

+   /Widths [ 1000 603 274 595 600 520 351 520

+     606 972 623 394 698 683 426 632

+     632 623 574 591 274 623 632 623

+     591 363 615 818 351 363 454 591

+     988 635 ]

+   /FontDescriptor 8 0 R

+   /ToUnicode 9 0 R

+>>

+endobj

+

+11 0 obj

+<< /Length 12 0 R

+   /Filter /FlateDecode

+   /Length1 12332

+>>

+stream

+xœÝzy\TW¶îÞûL5ש
ª €sŠb*Jd‰”@aQÕRˆ…‚%ƒqˆ"Ñ &‘$j†Îx“Ò}Sf¸’ÄØt†ÛI:“îíŒ�Q;7}ûuòº;R¼µO•(ÆÎíüÞûëUqÎùöZ{Zk¯½ÖÚ‡êíîkG:´1È·r}[è—‡®Û‰z	!l^¹©WŽ¯õcÀÂuzUhõú¿Ï»ßŽó<BÜÒÕ붬JªjÈBH�†�ýÛŽö¶àŸ¸kÍ¥&A%@ˆUP®‡rZÇúÞÍ·–_åÍPÞ·®keÛs]¶„\PD5ëÛ6‡Â$Ÿ@ùr(ËÚÖ·«Cï½
+e¨£^êêéÝŒ«"Mû=出ÛCϼõÀ¯ üW˜S!Ð0|éG�§e°/¨Ô­No0Š&³Åo³'$:’’S$Ù‰þ?ÿðV¤�µ:…¤s÷?l J™øhê=œøæî{⟋yÁò+×�é
Ÿ"î©ýâÕ—í‡>èúwôô¨r=ƒN ãðýWt'Ћž½Bèyô3tP¡_¢{ÑOÐaô€Rºh…ÐCèÆ)Óë%¡è¿­G½h
+-ª]¢®ùSnl*JßÇ´š*WU»&g:¦ÑÔ‚º¡c¸fV
+¡¼wºg»ø¬P^ž�Ø€=˜qagA¼-ÇYy¦(#s:¥””ÎÂìœeŸÜýöÀó¸ïÛ÷°wæ¬5kRÓ<}Ë?øðæ»Êª«ÈsókÇ_çNååä,Ýú..,lNr&�ß3-Ï{=•.sâ#v	»r®btÀׂr-¹ÓâÒsˬE¹sãªsë³WeoÊÖ&!�¾8¥8%e0¿ÈšŸ_Tâ-ªÌ/)-)s»ãóŸ(åwÇûÌ	¥ñèhvRaRU“””cYàÆnwú‘±H}‹%UŒ�¸ �)&r®gL<mòæ‚àŸzö¦{8�y¯¡¼œ{öÙü<EpÁ
+éC–mI½©ƒALL´;Ô½^£Ôê¬Z¸v£éiÞÍ:¬«¬Ñ6i¯Ö2Ú´ô´2í9…im·˜D�1å0¯u ŠŠ1ø£¦lª€Gü˹-楂/ÝWVµ¨LØ\…‚¢(¡(ƒ£è‘î­Ÿ®nhüt`É‘YëNඎÀ£ëï{ð¹ŽîÅ_1<{SýêûK¼3ÈÙ"ï­êÜâÎŒds뛽øÅw®XT4¾×•¬«vXì°] ½	¤÷ú²Ô#.‰¯—ÖÄ¥~UȤJäãŒÄ~Ä(:�ðñqTÔ”Ýê'ÓÄoÇ`Þ°Þc°Ìçç[\dŽ.+V6
�ð¹mÂîZVßôéÑßþaiãâÿ¾á7ŸF^)ñnm»mFIÙà¶Ö;Èë‡#_­Zsõ'ÏÆâšU[ß?P÷zß�¼Ù=tó2°îà$?‡s…mð%&èK´5Ú-«N¥ÕªTƒj�U­Ö˜©ÞÝ w³Ù²b‹WS™¡.VûÕ�ê>5§¶X-eêÇ-p@¹ÅhÔÕàç*Ær§z9OlETå†ò|À®èff\–Øbؘ“š,þòÇ=9q2cÏã
ùÓ²™#uCùÙ3làþÀåœ
+Ç`#À¶…… ìEê¿“L,/ĨãœÌ¤ÿ*<ï½,®ÒBK!ÃìH�\³Y#κ7Z5®ýùCGÔªýý©ýµ'jÙÀÑññÌö”¹s’T÷Ì[vËY¤ù(žù5õÙpVᾆˆd@Éh½o�Ã4�L3åé|ºós{RˆlÓö›úͽŽ�I¡dc¼Í6 ¨¬‚ 2nG#’OÂ)^Ue†P"ÔMÂ&�R¤”2á±”øacPîXÅ…!ir÷Äv
ϺœŽXð"B,)û¥ÄÌ}ý×ÿ¼6òÕC‘
�–Ü‹µ]kB§.Z8rðþÈŸ_½á£à=?cÿ%2ÿê9yÜ©œys>ûy÷ý¥%éßõåz—á¥T²2¸-ãÞU"u�¯ý„°Ü á^¥ÄÓbÞÏ7ò}OUjU™QíS÷óýj–gî$>½XJˆ`¤Q¬‹nÿ@T
+YÈÚÛ×Ê[ÇŸ"UtÕ ?c“`7p¨Ö—Ç°ì
+äÚ3ñw†û
+¼j§o'lIçç“ZÓ2Ó
+ûŠôu¦
é�Ñض§Ü(C]†ŠÕ¬O_§'z½uXÍ‚›F–´4¦NJ¼Óˆ¥:�;q;sü\¼£“Ÿt²
šQs22}ßÅBp˜âey–|ù,ròšÞ\÷êÀé-9FgUUéÑe¾h¬oý�W<X3»#Ý�ÛùÚ�Ó±þ¼öÖŠê�ÞÔä̾ÎU‘÷îå3�SªN>]Üpî}‚KÉÞ$t§ol É’/¹Åb­¸Dìdºt�âú”~¦_·UÜ(‰*³E,–
kœÕj�3‰FɈ¶ÓüTJ2£/â*3¬%Ök“u“•³Ò—
ÖÇd)NuSžÉg"&“UŽcŒVê{£¯ÌÞ©é8ÍjÇhR‚Ï¿|€žú®Áþè‚WD`ý²3cC݇{^¿êÆ™•s?ø<²9òÙuÏCœ=¼ï3|Ÿ?Å®(ž›(ÙÇŸNË)8òÝ·dñ88×twoÓ‘3¥p6|ìo´! 
ìæ€Z­Ò0™l#»ŠeØ�Ï©UïÃ[x—’ÿmA›Àñú 0	‚ˆdHÞ!U€ÜsNšŒÅ¢~6WÆÍãf8¤Áµ1¤rQׂ*	|ôeMÇÔ
Ót,0:ªuºEJ-„¹±
+Æwüå³	óµ�H¾/àN�í%wÂJN|Ä;¸?)'»¥¾yn&[•¡K5yUE¦ªjS=©7ÕYIAs§#DBÍØ6ZúýIqn>ÃXÆçò5FÞ>ld�ü%Òóô”íêã—:ûAÖ=i¯2Â%æX<<g­¼£¯«;2úBäÛÈ››7nÀþ§±O�ì©o|yä†Ó‹ë_~üàæé§#G¯;xøzÝKøªýƒ÷Dþpö¾nœðó—ÞÝÚyÿ¶WÞß…ÎåàcБ)ùÀP{BœÛêŽë4tÄm5lŽ£y�úÿ:/@ÿOòæÒyÁê»þA^
+^¾k`¸bÎÇ�]ëÖDNßðŸ_¤'ãí?pxlÖĨ…u�1NG§|Ã(‹L7OÏH“sJSK³Š³‹sü©þ,N3ß”jÝinâ-ƒà—âm%¶¶_Ú¾²q¼­Ü6h;l{ÀöŽío6ÁfÃòy3JIIr¹ÒS¥TI”�VYv²²?‘·"/”Gr½ÎÊ¹XöË�rŸÌɹy¹eò㹺[¦‰Ž[2D§< X5§Ê °]Ñ÷FzN
ä߶@‡—NAmÑ×Fuj558ãüµÂMDÍßâ&½l(¿y[4+í|dåƃ¶k__uÓÍÌ*ç¼Å—dÎ_Ô<3Á—0^L®™µÀ½´ê²…J¦:wQkCkÃ0èøúH�ùva*ö¥eK
—Ëq^eXeíÇ›¬j-ÂÂZHÐÌ'‹Y0šB¨QE5ì‚Ô‡Ú‡¹´0Ž'Še˜m$ïÍ%½ËZÆnø¸û¯lïß±.Æõ�ŸÄmÞ‹Swkê#‘;îŠ¼ùväö­Ñœ™kTræµ>?G0�y>öBAddf�¶NÍ2�uh5½V °ð˜†;ôù��V‚á|Ž©áÜ‹ï�cSŽ^Þs‡/%øÀf?Ìå�‹ídoæøÖŸ>�›™.+R÷³ñ<˜ž¨‰¼Æš•Ü·ÀgÄ„a~ƒ°•þp
+O<¹ž¨q2ô˜úd߆RåœOû!¿gþƒEo’Ü1$þå+zõ(I³:rå0®ÆÉãÉ
´‡0¬š]YµR_ºÀÙ87›­­a[:5+-[Ä��	Žf,˜³á$B6�}êºQOW1d ÔÑ“ÌâÂx3c_ÞÔô_>îù&Øݽ}ý›-}LßS‘#ÿò/‘wwh¿»gw?ÿ^}�æPäWôÝ8z|>)´ÂXþ
rDÿ�ÿ«'6Lþ×¾&ê Ÿ$°º$F„6*mdÑÿ5×Ó{Á'•¦l쨆}e²dbÏN¼Í¾‹Z˜5h“‰vò2šC
+Pûz˜}5“œC^ƒ˜Òm<¨‰Ñî,ª¡u˜åH`Ï¢àWs‡ÑîFTÃmšx�Ÿ�i=¾í^€~ïE׳·¢æÞ‰òùÄsðÃ\$t=ÎÀ£¤‚ÜBþ‹é`Þb­ìrö5ökök.ƒ;Äs|FhN©æ¨^QOSߪ1k~¡]¦½K;¦‹×•ê¶Åt•
+'©¨|g£™
+æ(ã:6*˜ºçÄ0‹’°WÁ‚BoˆaJoS°J¡o�aJ¿NÁjúû|cd ž†úÄÃZFü1mÉ=1Ì!;y*†y ¿ÃZNþ[Á:fAÃü™€‚µ@·2Ûb˜EiÌ

+Ö
]d‰aÉÌ3
+6
+¶(ôܦôËl¥r±KcdaW+8N©¿;†iýC
+ŽWèÅ0¥GåMPúy7†i?gì õ9&†¡>�O2­ÏåÆ0Ôçf*XRèM1Lé+œ¦ôÓôŸƒ
+ÎQê?ôþqŠUŠž¹7b˜ÖÿHÁÊü¹‰:Ow5Ö)õyOSº²Ö:Eÿ|S³`®«ë·„ÚWµ­l—Û6å`[o›üs9ßë-‘¯è\ÙÝÕÓµªW®êêuu·õvvm˜.Ï^·N^Ô¹º£·G^ÔÞÓÞ½©=ØØÞlÛÐ6··m]çÊÉfe1²¥Óbô çËY“uÜS뜫R0½°8ÆÉ™ä(õ:{ä6¹·»-ؾ¾­{­ÜµêÒÓ„íÛ‡ºQêD›PjDíP
+Ú
+QñEmr.Ñæ|�Š¬õ*z	=<»aEee?F›?Æò.´’.¸÷Bù¬e²Îyi6B©ý4åWã…Pêý^½sô¨$çÆøþœ/äž—€Zã?–�rÿÉ]0‰· «/¡³©\*ÛG±•üþ\§pÙD¶Šõ±³ÙlÁÅ5§ðjÐLåþ“2á¼É5X{q½)¼:ÔA¼zÛp	y¦rýÐnkŒwqÍy?Æ„>t¿Ú ’?¡‰ÿ×|´ùR¿6=þÇ3	Òé3‰}Ù·û·¶„’�¿Ì�¾úrš$¿í{›,xiÅKäw/š¥®ñ]/>ô"yaX%ýæÑ4éŽÛJ¥Ûo+�n…ë¶CÒÑÃyґ×K·Àux8Gºh7š.®‘¤áÜa2|H–ZqˆÜuû>üðC"~ @Ðâyø>¨û ô
ï;¡Ö–ÐyÔ=©KÄ'°oD-– ãâqù8ÓúXè1òÉg.éÓÏd	�å�µŽ1uoaß›uo†Þdþ<'ýéÑék¸îz¿ûÎ4é�w�Ò{ïO—Þ?i¦Â=ò†AT:ŸxC#–¼~R%�†ñ5éµÜטWO&H£pýz{­ôÔII:Ùï•®?P+Ü_+ØŸ%
í¯’®ƒkÿé'{¥}{¦K{÷dKƒ{‚Òµ{ê¤Ýpùö”_V²Þ½Ë,íÚY+
ô×J¾�³«KvögIۡпÃ/…v`ߎÙU%îàÌ`m°%Øì
ò¢Ñ)ÅÇeKï”ìÙË8%‹9[š–cÌö²ÜÆŒLCZº1Õe��ÆÉàHJÖÛõqñ6½ÙbÕE“N§7è读yA¥cXN'7�hÜi$>~'O|ÌN†QZ€|ýˆ5B–\
ÆÕ�~�^EH嘩’Œe*‰ñª$4C%Õâ°¹ÕÖW†-ž‹+Ã…žÚZ.ðÔ†ÕuK›�a|}PÃdßFõavß�‡¹jÉÒæœ@Ù{”ßeÁ;÷<è˜D--žäp°vqs8”Ü. àÆää�OOoOO�ç|Ž©éèÁE•Ç>gé¯6ÛŸ»ª�}ñ¹òÎð®jÊþŽêžðGx‡«Úó»òœgQ 
+W¯2ÔÓëé›Z¹×›ú?XÈ?Ú

+endstream

+endobj

+

+12 0 obj

+7994

+endobj

+

+13 0 obj

+<< /Type /FontDescriptor

+   /FontName /DAAAAA+Verdana-Italic

+   /Flags 68

+   /FontBBox [ -131 -206 1459 1000 ]

+   /ItalicAngle -30

+   /Ascent 1005

+   /Descent -209

+   /CapHeight 1000

+   /StemV 80

+   /FontFile2 11 0 R

+>>

+endobj

+

+14 0 obj

+<< /Length 378

+   /Filter /FlateDecode >>

+stream

+xœ]’Ín‚@…÷$¼Ã,íÂÀŒˆš‹š¸èOJû
+endobj

+

+15 0 obj

+<< /Type /Font

+   /Subtype /TrueType

+   /BaseFont /DAAAAA+Verdana-Italic

+   /FirstChar 0

+   /LastChar 33

+   /Widths [ 1000 603 600 520 623 606 426 394

+     765 274 590 595 268 351 556 520

+     632 748 274 420 623 351 698 695

+     682 787 632 775 973 454 574 454

+     363 454 ]

+   /FontDescriptor 13 0 R

+   /ToUnicode 14 0 R

+>>

+endobj

+

+16 0 obj

+<< /Length 17 0 R

+   /Filter /FlateDecode

+   /Length1 8408

+>>

+stream

+xœåY|TÕ•?÷¾Ÿó+ó&¿“!¼7™CHÈ/~˜1!AŒHA 5“_˜˜1	¿´éÄ`«$nK¥ÝÊZZÑÏ®/¢,"î§ö³­õS³ZÛm×­®V«K\·‚º…¼ì¹o^øl?þ½ïͽ÷{Ï9÷ÜsÏ=÷ÇÌôõli
'
+ëíX×îwµ¼õÔþ_`}ö‘íîí{¶OdéŒíi‰nßi7°þÚ$"�àË'B³N9^%Ùfw8]	nø÷ˆÉ`ǹu*¿üá7�Ÿ•“ï˜ù[S؈LžûÛº'¯ñ\ÍÀé7ÓWÑFÆhÞµ´•‡<Hö’
RO¶‘.²…t�ÙD1¿kÝðOf§GàC¢‘’@ñ‘à<É%Y$‰ð`Çú”9kJ~ßÌÏ’Åð)}ÇÙ~¬¿oÀ{0I€Sø¶áû†h 3ÉlRFn€�Qû”}FàÊü¶ù=¼Ÿ™¬#[É y˜ºè
+ºåÒI%¹Ÿ®¢çù�È6šHÚ¸çÉY"’’Ïãºü§Oþ‰<
+osùôl‡›àu²ˆ„¸#Ü\N¥cô.¬²Ò’â¢E…ççÏÌÍ›3{VnŽ?Û§©3³fx33ÒÓRS’“=Š;ÁåtØm²$
+<G	Ì#zzeÃH†ðú|¾Æ|«žye]çr•?ûtH¼BÈ{U£WÕ³®ªÏ¼X¿Y‡d½Ú_¹œ)�ê÷uHÒI²¬’´
+{²UE6û«:ôŒÊHs3¶XîW4½ú“ eŠ©{Äa¯ôW¶ØóçÁˆÝ�Ð�e£#¤ú:bZ]µx„‚ìÊŸ§'tš[ÅÒf=´¿�9jBNÒ%Îèäé.g
6›BIqDt±R—Ì~µ=Öa¿62ïôà£
+ll8#þHxz.Œ6Ž
+—Ëq\’»FsËs‰·_<ž£œoÂåMãå¬ß&¢€O�™“ëHÑ¢Y³ç¶(%�”äÔ´™¤° Xl5Ú�ƒÆw�vr�´‘VòˆÁ•_WP¸ç†•;‹Ê—ì½ñƽôOÆ÷Œ&ò‰ Ðaãö	mù‰þ½'/-^´´ôå]{~²dIió\Þ
^FÏ9ÉÂÐæ>¹ÏA¹PZV	WŸ ”ÜL¯çWÊ«löjÇí´–o�7ØêíÝ4ÌwÈ›m-öVÇ9f‹Ú·:öÓÝü~Ûnû>Ç!ú0Èö°ý,9/h.Jy•*|�jüut!_&/³Ø‹N~tòí�mfA	Õ0³OÕl¬†¼Ó!Ú@™!È{3tkJV‰m.f1J¨Ã¹íŽò„—¥˜(ˆ"±	‰$KÈ&ùB!Y*T’›„[I£°‘t	=¤_P8A¶9œ"9*»î†-"'úìî�üC(�
HPB	Í	œlò�&(/OL+[¸€4ݧLœ>må$`=MM€™�øðC|I˜%É/ÝÆmÆ9ãæÝäÀI"‰áaì/A±ó“<a	­ÏÃx­A¯K0/”Iø"ÇÁzÖÇpX¼MVl![ÌÆ5yXH¾7ñË'ð2A¦¢²ÆFPÈæGίæGÆ‹Gá]ácÈ�oŸ
+Ò]B¿twâ]^göPÐßí§~æô2›Râ÷Û¸ «ÜÕ특x—+yÈÆg
sIAÿjòƒèrù¾
0+4‹döbŠ˜‹Î<ž«|Ö4Î<7^4M†òñrĦý
3¶$�+òþxxðiÿ|rYt#­¸Äڻ㹻�:ò4Ù=Lì�ft,>t[ë�*ÊWâ5R‹R�ßЧÖÎ^E¾O:Ézr´hµñXÊ*¯6éuKOìøÜø¥$‡dÄ÷þSs_XÊ´X †Äf1*ˆºˆPÎ~€Èlðn%¥Dæñžìm1ßpD…ÄÑ\csà?=ÿ
+_4±’‡ÆŒ·�ILá~éxóŸiΰö„VØlv™’�XµÙ9~— ˆ%b©T#.—Ö‹õR—¸Qú†x—d_«„~èÇ«àpÔNì`·qÂÝ"9Á~/c›hWJfàvpªN"°¨m2Ã6XÞ„qŒo'ñ¨=mæòé<Âù8ŒVg½m¿m3úé,ò|àøq’o¼.Œ]袩¡×º&ÿ(´
+g ~|²'B	Jò
+Ì
+¬ÿNñ_ƒ{Ä�.þŒy×w#œ$Ûð=L´�þŒëäžägòwñGøÿn±zU`‘eÅ7x¤Ï�uxëf܆À”m•í$xhUZ˜7Z˜ƒyp³…ypâòŠc
ñ^‹ˆ‡,,AþžõÄs¨'
^µ03á÷&�n‡ÿµ0™„3±ˆt‘dY˜‡Tâ7±„t™”Y˜‡tr½‰e¤;I£…y˜AZLlC+öâ!ǨdaÔCS,ÌAͲ0ê¤[,, þ¦…EÄG,,Á×è&¶³qq^㸸<;�žÈ­°0�K.n›“õËÝcaì‹»×Ä	HW¸CæAãž4±bêyÅÂLÏ[&Nbþá&-ŒþAï1œÌìá½F{ø¸=)HOæWX˜‡~½‰SMù˜…™||¼¦ü“fò/šØËæ‹×Â8_ü¸‰³˜=‚da´Gp™Xeò‚ßÂ(/ä›8‡Í—°ÂÂ8_Âç›òÝfò;–M?ÃF;…Ã&6í^´0£›1æŒËÿ—…ÝŒ1§é1ÍÂ<†«Z¿#ÚÒÞÔ¢…ïŒh‘p_X;ª-,++ÖVulêéîíníÓ*»{¢Ý=ᾎî;çk×wvjumí}½Z]KoKÏÖ–È­-=‘ð�áŠîÎÈÅF‹-¢Æ¨¬Ò‹­µ…Úœ‹y—KL	Ì/,²èùÝ”éèÕÂZ_O8ÒÒî¹Cën½¶y¸<[ 
z0ïƒ0ÜŠeD݉I»ŠÛ[ˆ9N“»ÄiENd?N­6õôMãZtn÷÷SîEÌG®–¹‚W; ŠüVälÂR3¥"XFL+™Î£˜âæUňVAJö@7ôbjE
7¬n¤DÍœµê@t'ÌGÎõЉ¯uHkƒväõšµ,™U[¯1Æ
+l݉µé=-ž6Þ)Ù)N¯Õ7³Xƒ9×Б÷¥:®ÖP€#(„¢«äó¯’¿¤§Ã[|™"Èï²î@ëý«xo*^:þj4Ź7aÙŽåVlÉ([¦ÉO—XaöÖ;MrŠ^�؉–†m>DÚôH»’?ծ׊Ìî/Õ|¥ÄôŽSo@܉º[¯)s%·u1ol��–÷vLkq-™Ë½8ÝÞ+¸¼Ê_Ç/á+ùb¾”ñËø¾ìê×”©ÿÒ•~‰S}Í1Æ©5l¤d!Ò®æ_âÔ˜ûJgcú(.çÝ„)‚ã™O—8_%ÿ¾’Þ©H1ï=ñ›ÞxýZÿ¢ÿÓ9êï{Tö-6ò¦S)ýùÍ�G}Ó/1½‚é˜~Žé%LGå¨ßÃôÈ!Mýî¡9ê¡!¯ú?SÔÌP¿sp®ú탹êß!$QÜýgòðP†:<PùT"¬£
C¥Ø}R=<ÉBà„r‚ºG	<K´/b_PåsíóÐç\ìQÎjg©öqíÇ4x¦üÌê3Ü‚_GM�==G}ú˜G
+?Ö¬GõèÂßËQßÅ|�upìŸq ¬£Égükl¾:†éµ˜¦þ*æQOczÓƒ§&OQ÷dò2ò”G�>E”ǵÇéþû¨ƒ÷Õûc…ê¾Ýéê}˜öî^©îÙíQïݽXÝ�jºŸxô	ý‰OžàC‡‰²AÛÚÀ}ŠwÅÒÕ�±Õ
,¿�=öcª�5Ç¢1NqûÔÔ”¹ª$úÔŒô¹*ÏùԤĹê¼|÷Ü@Âœ<÷¬Ù	9¹îl‚æsÏT¼3²\é™®”Ô4WbR²Ë­xœNW‚“ý3-J²“ã'êTÜnDâ8ê†rX
1àÝx-‡PV7V^„_Á$ÈÞ%²ê^,«\™¬B©¬Ö=±jê+ô$‚åš
+½0P3*C�^¨ÑmµëFùV#Ruº§§^ç÷�R,+×­o%Œ½Çü'	Ñ(ØóÍoz/¢ÆÆ@–©YÓ G³õÊjöƒdo_oooàKžë=RW1ò!Ïþg
+ëú—�|ô¡ùŸ“þ‘9±š^®!*½X‹.{ °Å¤÷MëŽ5ø?ü÷ˆo

+endstream

+endobj

+

+17 0 obj

+5068

+endobj

+

+18 0 obj

+<< /Type /FontDescriptor

+   /FontName /BAAAAA+Verdana-Bold

+   /Flags 4

+   /FontBBox [ -73 -207 1706 1000 ]

+   /ItalicAngle 0

+   /Ascent 1005

+   /Descent -209

+   /CapHeight 1000

+   /StemV 80

+   /FontFile2 16 0 R

+>>

+endobj

+

+19 0 obj

+<< /Length 297

+   /Filter /FlateDecode >>

+stream

+xœ]‘Ënƒ0E÷HüÃ,ÓEÄ#�‡„�Ò$H,úPI?
+å¦õlü#¹N!æBĽÄÁÔm­oè{Yæ�Eî{¨åÿn”²«iÅWmu4«Ã0ÙçÄÁ† Ý$qH�r'!ز‡e;†”`Ïس!82°ì™!&8±‡Ÿ>3.,Ûܹð”÷i–�iG�8Åhíœ$­’\²Së6½!ßïñwp‘/endstream

+endobj

+

+20 0 obj

+<< /Type /Font

+   /Subtype /TrueType

+   /BaseFont /BAAAAA+Verdana-Bold

+   /FirstChar 0

+   /LastChar 15

+   /Widths [ 1000 837 850 1128 341 681 811 683

+     776 710 812 782 830 545 763 846

+     ]

+   /FontDescriptor 18 0 R

+   /ToUnicode 19 0 R

+>>

+endobj

+

+21 0 obj

+<< /F1 20 0 R

+   /F2 10 0 R

+   /F3 15 0 R

+   >>

+endobj

+

+22 0 obj

+<< /Im3 3 0 R

+   >>

+endobj

+

+23 0 obj

+<<

+   /Font 21 0 R

+   /XObject 22 0 R

+   /ProcSet [ /PDF /ImageC /ImageI ]

+>>

+endobj

+

+4 0 obj

+<< /Type /Pages

+   /Resources 23 0 R

+   /MediaBox [ 0 0 595 842 ]

+   /Kids [ 5 0 R

+           ]

+   /Count 1

+>>

+endobj

+

+24 0 obj

+<< /Type /Catalog

+   /Pages 4 0 R

+>>

+endobj

+

+25 0 obj

+<< /Creator <FEFF005700720069007400650072>

+/Producer <FEFF004F00700065006E004F00660066006900630065002E006F0072006700200031002E0031002E0033>

+/CreationDate (D:20050410124845-07'00')

+>>

+endobj

+

+xref

+0 26

+0000000000 65535 f

+0000000017 00000 n

+0000013084 00000 n

+0000013112 00000 n

+0000105823 00000 n

+0000082709 00000 n

+0000082816 00000 n

+0000089234 00000 n

+0000089259 00000 n

+0000089497 00000 n

+0000089954 00000 n

+0000090305 00000 n

+0000098407 00000 n

+0000098433 00000 n

+0000098684 00000 n

+0000099145 00000 n

+0000099505 00000 n

+0000104680 00000 n

+0000104706 00000 n

+0000104951 00000 n

+0000105331 00000 n

+0000105606 00000 n

+0000105678 00000 n

+0000105720 00000 n

+0000105960 00000 n

+0000106020 00000 n

+trailer

+<< /Size 26

+   /Root 24 0 R

+   /Info 25 0 R

+>>

+startxref

+106227

+%%EOF

diff --git a/cacert/www/docs/cacert_display.sxw b/cacert/www/docs/cacert_display.sxw
new file mode 100644
index 0000000..e9ac400
--- /dev/null
+++ b/cacert/www/docs/cacert_display.sxw
diff --git a/cacert/www/docs/encryption in the real world.sxi b/cacert/www/docs/encryption in the real world.sxi
new file mode 100644
index 0000000..f32b576
--- /dev/null
+++ b/cacert/www/docs/encryption in the real world.sxi
diff --git a/cacert/www/docs/flyer.sxw b/cacert/www/docs/flyer.sxw
new file mode 100644
index 0000000..bdb8d06
--- /dev/null
+++ b/cacert/www/docs/flyer.sxw
diff --git a/cacert/www/docs/incorporation.jpg b/cacert/www/docs/incorporation.jpg
new file mode 100644
index 0000000..1396497
--- /dev/null
+++ b/cacert/www/docs/incorporation.jpg
diff --git a/cacert/www/docs/keys.pdf b/cacert/www/docs/keys.pdf
new file mode 100644
index 0000000..2ee23bc
--- /dev/null
+++ b/cacert/www/docs/keys.pdf
diff --git a/cacert/www/docs/keys.ps b/cacert/www/docs/keys.ps
new file mode 100644
index 0000000..929f146
--- /dev/null
+++ b/cacert/www/docs/keys.ps
@@ -0,0 +1,94 @@
+%!PS-Adobe-3.0

+%%BoundingBox: 0 0 596 842

+%%Title: 

+%%Creator: gpg-key2ps 0.1

+%%CreationDate: Mon Sep 27 01:14:05 EST 2004

+%%Pages: 1

+%%EndComments

+

+%%Page: 1 1

+

+/w 596 def

+/h 842 def

+

+/Times-Roman findfont 9 scalefont setfont 

+

+/newline {

+	/y y 10 sub def

+} def

+

+/hline {

+	30 y 3 add moveto

+	w 2 div 30 sub y 3 add lineto stroke

+	newline

+} def

+

+/needhline {

+	/condhline { hline } def

+} def

+

+/noneedhline {

+	/condhline { } def

+} def

+

+/pub {

+	condhline

+	20 y moveto (pub) show

+	40 y moveto show show (/) show show

+	120 y moveto show

+	170 y moveto show

+	newline

+	needhline

+} def

+

+/fpr {

+	40 y moveto (Key fingerprint = ) show show

+	newline

+} def

+

+/uid {

+	20 y moveto (uid) show

+	170 y moveto show

+	newline

+} def

+

+/revuid {} def

+

+/sbk {

+	20 y moveto (sub) show

+	40 y moveto show show (/) show show

+	120 y moveto show

+	newline

+} def

+

+/key {

+	noneedhline

+	(CA Cert Signing Authority (Root CA) <gpg@cacert.org>) (2003-07-11) (65D0FD58) (D) (1024) pub

+	(A31D 4F81 EF4E BD07 B456  FA04 D2BB 0D01 65D0 FD58) fpr

+	(2003-07-11) (113ED0F2) (g) (2048) sbk

+} def

+

+/numlines 3 def

+/num w 16 sub 10 div numlines div def

+

+/column {

+	/y w 10 sub def

+	1 1 num {

+		/upper y 10 add def

+		key

+		newline

+		/lower y 10 add def

+		0 upper h 2 div upper h 2 div lower 0 lower 0 upper moveto lineto lineto lineto lineto stroke

+	} for

+} def

+

+w 0 translate

+90 rotate

+column

+h 2 div 0 translate

+column

+

+showpage

+

+%%Trailer

+%%EOF

diff --git a/cacert/www/error403.php b/cacert/www/error403.php
new file mode 100644
index 0000000..0fd1c9b
--- /dev/null
+++ b/cacert/www/error403.php
@@ -0,0 +1,4 @@
+<?
+	header("location: /");
+	exit;
+?>
diff --git a/cacert/www/error404.php b/cacert/www/error404.php
new file mode 100644
index 0000000..a51849f
--- /dev/null
+++ b/cacert/www/error404.php
@@ -0,0 +1,26 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/ ?>
+<?
+	loadem("index");
+	showheader(_("My CAcert.org Account!"));
+?>
+<h3><?=_("File not found!")?></h3>
+
+<p><?=_("Due to recent site changes bookmarks may no longer be valid, please update your bookmarks.")?></p>
+
+<? showfooter(); ?>
diff --git a/cacert/www/gpg.php b/cacert/www/gpg.php
new file mode 100644
index 0000000..9ee6dda
--- /dev/null
+++ b/cacert/www/gpg.php
@@ -0,0 +1,507 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/ ?>
+<?
+	require_once("../includes/loggedin.php");
+
+        $id = 0; if(array_key_exists('id',$_REQUEST)) $id=intval($_REQUEST['id']);
+	$oldid = $_REQUEST['oldid'] = array_key_exists('oldid',$_REQUEST) ? intval($_REQUEST['oldid']) : 0;
+
+	if($_SESSION['profile']['points'] < 50)
+	{
+		header("location: /account.php");
+		exit;
+	}
+
+	loadem("account");
+
+
+
+	$CSR=""; if(array_key_exists('CSR',$_REQUEST)) $CSR=stripslashes($_REQUEST['CSR']);
+
+
+	if($oldid == "0")
+	{
+		if(array_key_exists('process',$_REQUEST) && $_REQUEST['process'] != "" && $CSR == "")
+		{
+			$_SESSION['_config']['errmsg'] = _("You failed to paste a valid GPG/PGP key.");
+			$id = $oldid;
+			$oldid=0;
+		}
+	}
+
+	$keyid="";
+
+if(0)
+{
+  if($_SESSION["profile"]["id"] != 5897)
+  {
+    showheader(_("Welcome to CAcert.org"));
+    echo "The OpenPGP signing system is currently shutdown due to a maintenance. We hope to get it fixed within the next few hours. We are very sorry for the inconvenience.";
+  
+    exit(0);
+  }
+}
+
+
+function verifyName($name)
+{
+	if($name == "") return 0;
+	if($name == $_SESSION['profile']['fname']." ".$_SESSION['profile']['lname']) return 1;
+	if($name == $_SESSION['profile']['fname']." ".$_SESSION['profile']['mname']." ".$_SESSION['profile']['lname']) return 1;
+	if($name == $_SESSION['profile']['fname']." ".$_SESSION['profile']['lname']." ".$_SESSION['profile']['suffix']) return 1;
+	if($name == $_SESSION['profile']['fname']." ".$_SESSION['profile']['mname']." ".$_SESSION['profile']['lname']." ".$_SESSION['profile']['suffix']) return 1;
+	return 0;
+
+}
+
+function verifyEmail($email)
+{
+	if($email == "") return 0;
+	if(mysql_num_rows(mysql_query("select * from `email` where `memid`='".$_SESSION['profile']['id']."' and `email`='".mysql_real_escape_string($email)."' and `deleted`=0 and `hash`=''")) > 0) return 1;
+	return 0;
+}
+
+
+
+	$ToBeDeleted=array();
+	$state=0;
+	if($oldid == "0" && $CSR != "")
+	{
+		$debugkey = $gpgkey = clean_csr($CSR);
+		$debugpg = $gpg = trim(`echo "$gpgkey"|gpg --with-colons --homedir /tmp 2>&1`);
+		$lines = "";
+		$gpgarr = explode("\n", $gpg);
+		foreach($gpgarr as $line)
+		{
+			#echo "Line[]: $line <br/>\n";
+			if(substr($line, 0, 3) == "pub" || substr($line, 0, 3) == "uid")
+			{
+				if($lines != "")
+					$lines .= "\n";
+				$lines .= $line;
+			}
+		}
+		$gpg = $lines;
+		$expires = 0;
+		$nerr=0; $nok=0;
+		$multiple = 0;
+
+		$resulttable=_("The following UIDs were found in your key:")."<br/><table border='1'><tr><td>#</td><td>"._("Name")."</td><td>"._("Email")."</td><td>Result</td>";
+		$i=0;
+		$lastvalidemail="";
+		foreach(explode("\n", $gpg) as $line)
+		{
+			$bits = explode(":", $line);
+			$resulttable.="<tr><td>".++$i."</td>";
+			$name = $comment = "";
+			if($bits[0] == "pub" && (!$keyid || !$when))
+			{
+				$keyid = $bits[4];
+				$when = $bits[5];
+				if($bits[6] != "")
+					$expires = 1;
+			}
+			$name="";
+			$comm="";
+			$mail="";
+			$uidformatwrong=0;
+
+			if(sizeof($bits)<10) $uidformatwrong=1;
+			
+			if(preg_match("/\@.*\@/",$bits[9]))
+			{
+				showheader(_("Welcome to CAcert.org"));
+
+				echo "<font color='#ff0000'>"._("Multiple Email Adresses per UID are not allowed.")."</font>";
+				unset($_REQUEST['process']);
+				$id = $oldid;
+				unset($oldid);
+				exit();
+			}
+
+			// Name (Comment) <Email>
+			if(preg_match("/^([^\(\)\[@<>]+) \(([^\(\)@<>]*)\) <([\w=\/%.-]*\@[\w.-]*|[\w.-]*\![\w=\/%.-]*)>/",$bits[9],$matches))
+			{
+			  $name=trim(hex2bin($matches[1]));
+			  $nocomment=0;
+			  $comm=trim(hex2bin($matches[2]));
+			  $mail=trim(hex2bin($matches[3]));
+			}
+			// Name <EMail>
+			elseif(preg_match("/^([^\(\)\[@<>]+) <([\w=\/%.-]*\@[\w.-]*|[\w.-]*\![\w=\/%.-]*)>/",$bits[9],$matches))
+			{
+			  $name=trim(hex2bin($matches[1]));
+			  $nocomment=1;
+			  $comm="";
+			  $mail=trim(hex2bin($matches[2]));
+			}
+			// Unrecognized format
+			else
+			{
+				$nocomment=1;
+				$uidformatwrong=1;
+			}
+  		  	$nameok=verifyName($name);
+			$emailok=verifyEmail($mail);
+
+
+			if($comm != "")
+				$comment[] = $comm;
+
+			$resulttable.="<td bgcolor='#".($nameok?"c0ffc0":"ffc0c0")."'>".sanitizeHTML($name)."</td>";
+                        $resulttable.="<td bgcolor='#".($emailok?"c0ffc0":"ffc0c0")."'>".sanitizeHTML($mail)."</td>";
+
+			$uidok=0;
+			if($bits[1]=="r")
+			{
+				$rmessage=_("Error: UID is revoked");
+			}
+			elseif($uidformatwrong==1)
+			{
+				$rmessage=_("The format of the UID was not recognized. Please use 'Name (comment) &lt;email@domain>'");
+			}
+			elseif($mail=="" and $name=="")
+			{
+				$rmessage=_("Error: Both Name and Email address are empty");
+			}
+			elseif($emailok and $nameok)
+			{
+				$uidok=1;
+				$rmessage=_("Name and Email OK.");
+			}
+			elseif(!$emailok and !$nameok)
+			{
+				$rmessage=_("Name and Email both cannot be matched with your account.");
+			}
+			elseif($emailok and $name=="")
+			{
+				$uidok=1;
+				$rmessage=_("The email is OK. The name is empty.");
+			}
+			elseif($nameok and $mail=="")
+			{
+				$uidok=1;
+				$rmessage=_("The name is OK. The email is empty.");
+			}
+			elseif(!$emailok)
+			{
+				$rmessage=_("The email address has not been registered and verified in your account. Please add the email address to your account first.");
+			}
+			elseif(!$nameok)
+			{
+				$rmessage=_("The name in the UID does not match the name in your account. Please verify the name.");
+			}
+
+			else
+			{
+				$rmessage=_("Error");
+			}
+			if($uidok)
+			{
+				$nok++;
+				$resulttable.="<td>$rmessage</td>";
+				$lastvalidemail=$mail;
+			}
+			else
+			{
+				$nerr++;
+				//$ToBeDeleted[]=$i;
+				//echo "Adding UID $i\n";
+				$resulttable.="<td bgcolor='#ffc0c0'>$rmessage</td>";
+			}
+			$resulttable.="</tr>\n";
+
+			if($emailok) $multiple++;
+		}
+		$resulttable.="</table>";
+
+
+		if($nok==0)
+		{
+			showheader(_("Welcome to CAcert.org"));
+			echo $resulttable;
+
+			echo "<font color='#ff0000'>"._("No valid UIDs found on your key")."</font>";
+			unset($_REQUEST['process']);
+			$id = $oldid;
+			unset($oldid);
+			$do = `echo "$debugkey\n--\n$debugpg\n--" >> /www/tmp/gpg.debug`;
+			exit();
+		}
+		elseif($nerr)
+		{
+			$resulttable.=_("The unverified UIDs have been removed, the verified UIDs have been signed.");
+		}
+
+
+ 	}
+
+
+	if($oldid == "0" && $CSR != "")
+	{
+		$query = "insert into `gpg` set `memid`='".intval($_SESSION['profile']['id'])."',
+						`email`='".mysql_real_escape_string($lastvalidemail)."',
+						`level`='1',
+						`expires`='".mysql_real_escape_string($expires)."',
+						`multiple`='".mysql_real_escape_string($multiple)."',
+						`keyid`='".mysql_real_escape_string($keyid)."'";
+		mysql_query($query);
+		$id = mysql_insert_id();
+
+
+		$cwd = '/tmp/gpgspace'.$id;
+		mkdir($cwd,0755);
+
+		$fp = fopen("$cwd/gpg.csr", "w");
+		fputs($fp, clean_csr($CSR));
+		fclose($fp);
+
+
+		system("gpg --homedir $cwd --import $cwd/gpg.csr");
+
+
+		$debugpg = $gpg = trim(`gpg --homedir $cwd --with-colons --fixed-list-mode --list-keys $keyid 2>&1`);
+		$lines = "";
+		$gpgarr = explode("\n", $gpg);
+		foreach($gpgarr as $line)
+		{
+			//echo "Line[]: $line <br/>\n";
+			if(substr($line, 0, 4) == "uid:")
+			{
+				$name = $comment = "";
+				$bits = explode(":", $line);
+
+				$pos = strpos($bits[9], "(") - 1;
+				$nocomment = 0;
+				if($pos < 0)
+				{
+					$nocomment = 1;
+					$pos = strpos($bits[9], "<") - 1;
+				}
+				if($pos < 0)
+				{
+					$pos = strlen($bits[9]);
+				}
+
+				$name = trim(hex2bin(trim(substr($bits[9], 0, $pos))));
+				$nameok=verifyName($name);
+				if($nocomment == 0)
+				{
+					$pos += 2;
+					$pos2 = strpos($bits[9], ")");
+					$comm = trim(hex2bin(trim(substr($bits[9], $pos, $pos2 - $pos))));
+					if($comm != "")
+						$comment[] = $comm;
+					$pos = $pos2 + 3;
+				} else {
+					$pos = strpos($bits[9], "<") + 1;
+				}
+
+				$mail="";
+	                        if (preg_match("/<([\w.-]*\@[\w.-]*)>/", $bits[9],$match)) {
+					//echo "Found: ".$match[1];
+					$mail = trim(hex2bin($match[1]));
+				}
+				else
+				{
+					//echo "Not found!\n";
+				}
+	
+				$emailok=verifyEmail($mail);
+
+				$uidid=$bits[7];
+
+			if($bits[1]=="r")
+			{
+				$ToBeDeleted[]=$uidid;
+			}
+			elseif($mail=="" and $name=="")
+			{
+				//echo "$uidid will be deleted\n";
+				$ToBeDeleted[]=$uidid;
+			}
+			elseif($emailok and $nameok)
+			{
+			}
+			elseif($emailok and $name=="")
+			{
+			}
+			elseif($nameok and $mail=="")
+			{
+			}
+			elseif(!$emailok and !$nameok)
+			{
+				//echo "$uidid will be deleted\n";
+				$ToBeDeleted[]=$uidid;
+			}
+			elseif(!$emailok)
+			{
+				//echo "$uidid will be deleted\n";
+				$ToBeDeleted[]=$uidid;
+			}
+			elseif(!$nameok)
+			{
+				//echo "$uidid will be deleted\n";
+				$ToBeDeleted[]=$uidid;
+			}
+
+			}
+		}
+
+
+
+
+        if(count($ToBeDeleted)>0)
+	{
+
+
+		$descriptorspec = array(
+			0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
+			1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
+			2 => array("pipe", "w") // stderr is a file to write to
+		);
+ 
+		$stderr = fopen('php://stderr', 'w'); 
+
+
+		//echo "Keyid: $keyid\n";
+
+		$process = proc_open("/usr/bin/gpg --homedir $cwd --no-tty --command-fd 0 --status-fd 1 --logger-fd 2 --edit-key $keyid", $descriptorspec, $pipes);
+ 
+		//echo "Process: $process\n";
+		//fputs($stderr,"Process: $process\n");
+
+		if (is_resource($process)) {
+		//echo("it is a resource\n");
+		// $pipes now looks like this:
+		// 0 => writeable handle connected to child stdin
+		// 1 => readable handle connected to child stdout
+		// Any error output will be appended to /tmp/error-output.txt
+			while (!feof($pipes[1])) 
+			{
+				$buffer = fgets($pipes[1], 4096);
+				//echo $buffer;
+
+      if($buffer == "[GNUPG:] GET_BOOL keyedit.sign_all.okay\n")
+      {
+        fputs($pipes[0],"yes\n");
+      }
+      elseif($buffer == "[GNUPG:] GOT_IT\n")
+      {
+      }
+      elseif(ereg("^\[GNUPG:\] GET_BOOL keyedit\.remove\.uid\.okay\s*",$buffer))
+      {
+        fputs($pipes[0],"yes\n");
+      }
+      elseif(ereg("^\[GNUPG:\] GET_LINE keyedit\.prompt\s*",$buffer))
+      {
+        if(count($ToBeDeleted)>0)
+        {
+	  $delthisuid=array_pop($ToBeDeleted);
+	  //echo "Deleting an UID $delthisuid\n";
+          fputs($pipes[0],"uid ".$delthisuid."\n");
+        }
+        else
+        {
+	  //echo "Saving\n";
+          fputs($pipes[0],$state?"save\n":"deluid\n");
+          $state++;
+        }
+      }
+      elseif($buffer == "[GNUPG:] GOOD_PASSPHRASE\n")
+      {
+      }
+      elseif(ereg("^\[GNUPG:\] KEYEXPIRED ",$buffer))
+      {
+        echo "Key expired!\n";
+	exit;
+      }
+      elseif($buffer == "")
+      {
+        //echo "Empty!\n";
+      }
+      else
+      {
+        echo "ERROR: UNKNOWN $buffer\n";
+      }
+
+
+			}
+			//echo "Fertig\n";
+			fclose($pipes[0]);
+ 
+			//echo stream_get_contents($pipes[1]);
+			fclose($pipes[1]);
+ 
+			// It is important that you close any pipes before calling
+			// proc_close in order to avoid a deadlock
+			$return_value = proc_close($process);
+ 
+			//echo "command returned $return_value\n";
+		}
+		else
+		{
+			echo "Keine ressource!\n";
+		}
+
+
+		}
+
+
+
+		$do=`gpg --homedir $cwd --batch --export-options export-minimal --export $keyid >../csr/gpg-$id.csr`;
+
+		//echo "Export: $do\n";
+
+		//$fp = fopen("../csr/gpg-$id.csr", "w");
+		//fputs($fp, clean_csr($CSR'));
+		//fclose($fp);
+
+
+if(1)
+{
+
+		mysql_query("update `gpg` set `csr`='../csr/gpg-$id.csr' where `id`='$id'");
+
+		waitForResult('gpg', $id);
+}
+
+		showheader(_("Welcome to CAcert.org"));
+		echo $resulttable;
+		$query = "select * from `gpg` where `id`='$id' and `crt`!=''";
+		$res = mysql_query($query);
+		if(mysql_num_rows($res) <= 0)
+		{
+			echo _("Your certificate request has failed to be processed correctly, please try submitting it again.")."<br>\n";
+			echo _("If this is a re-occuring problem, please send a copy of the key you are trying to signed to support@cacert.org. Thank you.");
+		} else {
+			echo "<pre>";
+			readfile("../crt/gpg-$id.crt");
+			echo "</pre>";
+		}
+
+		showfooter();
+		exit;
+	}
+
+	$id = intval($id);
+
+	showheader(_("Welcome to CAcert.org"));
+	includeit($id, "gpg");
+	showfooter();
+?>
diff --git a/cacert/www/help.php b/cacert/www/help.php
new file mode 100644
index 0000000..09992f9
--- /dev/null
+++ b/cacert/www/help.php
@@ -0,0 +1,27 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/ ?>
+<?
+	loadem("index");
+
+	$id = array_key_exists('id',$_REQUEST)?intval($_REQUEST['id']):0;
+
+	showheader(_("Welcome to CAcert.org"));
+	includeit($id, "help");
+	showfooter();
+
+?>
diff --git a/cacert/www/iistutorial/CVS/Entries b/cacert/www/iistutorial/CVS/Entries
new file mode 100644
index 0000000..d30e5b5
--- /dev/null
+++ b/cacert/www/iistutorial/CVS/Entries
@@ -0,0 +1,17 @@
+/image001.jpg/1.1/Thu Nov 18 23:21:15 2004//
+/image002.jpg/1.1/Thu Nov 18 23:21:15 2004//
+/image003.gif/1.1/Thu Nov 18 23:21:15 2004//
+/image004.gif/1.1/Thu Nov 18 23:21:15 2004//
+/image005.gif/1.1/Thu Nov 18 23:21:15 2004//
+/image006.gif/1.1/Thu Nov 18 23:21:15 2004//
+/image007.gif/1.1/Thu Nov 18 23:21:15 2004//
+/image008.gif/1.1/Thu Nov 18 23:21:15 2004//
+/image009.gif/1.1/Thu Nov 18 23:21:15 2004//
+/image010.gif/1.1/Thu Nov 18 23:21:15 2004//
+/image011.jpg/1.1/Thu Nov 18 23:21:15 2004//
+/image011b.png/1.1/Thu Nov 18 23:21:15 2004//
+/image012.gif/1.1/Thu Nov 18 23:21:15 2004//
+/image013.gif/1.1/Thu Nov 18 23:21:15 2004//
+/image014.jpg/1.1/Thu Nov 18 23:21:15 2004//
+/image015.gif/1.1/Thu Nov 18 23:21:15 2004//
+D
diff --git a/cacert/www/iistutorial/CVS/Repository b/cacert/www/iistutorial/CVS/Repository
new file mode 100644
index 0000000..dc85f8b
--- /dev/null
+++ b/cacert/www/iistutorial/CVS/Repository
@@ -0,0 +1 @@
+cacert/www/iistutorial
diff --git a/cacert/www/iistutorial/CVS/Root b/cacert/www/iistutorial/CVS/Root
new file mode 100644
index 0000000..a363882
--- /dev/null
+++ b/cacert/www/iistutorial/CVS/Root
@@ -0,0 +1 @@
+/var/lib/cvs
diff --git a/cacert/www/iistutorial/image001.jpg b/cacert/www/iistutorial/image001.jpg
new file mode 100644
index 0000000..5afa695
--- /dev/null
+++ b/cacert/www/iistutorial/image001.jpg
diff --git a/cacert/www/iistutorial/image002.jpg b/cacert/www/iistutorial/image002.jpg
new file mode 100644
index 0000000..b1fef64
--- /dev/null
+++ b/cacert/www/iistutorial/image002.jpg
diff --git a/cacert/www/iistutorial/image003.gif b/cacert/www/iistutorial/image003.gif
new file mode 100644
index 0000000..c43a6f2
--- /dev/null
+++ b/cacert/www/iistutorial/image003.gif
diff --git a/cacert/www/iistutorial/image004.gif b/cacert/www/iistutorial/image004.gif
new file mode 100644
index 0000000..22e69d4
--- /dev/null
+++ b/cacert/www/iistutorial/image004.gif
diff --git a/cacert/www/iistutorial/image005.gif b/cacert/www/iistutorial/image005.gif
new file mode 100644
index 0000000..49e0d2c
--- /dev/null
+++ b/cacert/www/iistutorial/image005.gif
diff --git a/cacert/www/iistutorial/image006.gif b/cacert/www/iistutorial/image006.gif
new file mode 100644
index 0000000..bebdff4
--- /dev/null
+++ b/cacert/www/iistutorial/image006.gif
diff --git a/cacert/www/iistutorial/image007.gif b/cacert/www/iistutorial/image007.gif
new file mode 100644
index 0000000..a0e3b8c
--- /dev/null
+++ b/cacert/www/iistutorial/image007.gif
diff --git a/cacert/www/iistutorial/image008.gif b/cacert/www/iistutorial/image008.gif
new file mode 100644
index 0000000..6af9c94
--- /dev/null
+++ b/cacert/www/iistutorial/image008.gif
diff --git a/cacert/www/iistutorial/image009.gif b/cacert/www/iistutorial/image009.gif
new file mode 100644
index 0000000..750c3d1
--- /dev/null
+++ b/cacert/www/iistutorial/image009.gif
diff --git a/cacert/www/iistutorial/image010.gif b/cacert/www/iistutorial/image010.gif
new file mode 100644
index 0000000..ce100d9
--- /dev/null
+++ b/cacert/www/iistutorial/image010.gif
diff --git a/cacert/www/iistutorial/image011.jpg b/cacert/www/iistutorial/image011.jpg
new file mode 100644
index 0000000..aa40ab0
--- /dev/null
+++ b/cacert/www/iistutorial/image011.jpg
diff --git a/cacert/www/iistutorial/image011b.png b/cacert/www/iistutorial/image011b.png
new file mode 100644
index 0000000..7a8b1d7
--- /dev/null
+++ b/cacert/www/iistutorial/image011b.png
diff --git a/cacert/www/iistutorial/image012.gif b/cacert/www/iistutorial/image012.gif
new file mode 100644
index 0000000..a74999a
--- /dev/null
+++ b/cacert/www/iistutorial/image012.gif
diff --git a/cacert/www/iistutorial/image013.gif b/cacert/www/iistutorial/image013.gif
new file mode 100644
index 0000000..3fb2ebe
--- /dev/null
+++ b/cacert/www/iistutorial/image013.gif
diff --git a/cacert/www/iistutorial/image014.jpg b/cacert/www/iistutorial/image014.jpg
new file mode 100644
index 0000000..8eed2f9
--- /dev/null
+++ b/cacert/www/iistutorial/image014.jpg
diff --git a/cacert/www/iistutorial/image015.gif b/cacert/www/iistutorial/image015.gif
new file mode 100644
index 0000000..512767f
--- /dev/null
+++ b/cacert/www/iistutorial/image015.gif
diff --git a/cacert/www/images/CVS/Entries b/cacert/www/images/CVS/Entries
new file mode 100644
index 0000000..838a66d
--- /dev/null
+++ b/cacert/www/images/CVS/Entries
@@ -0,0 +1,2 @@
+/cacert2.png/1.1.1.1/Sat Oct 16 00:28:17 2004//
+D
diff --git a/cacert/www/images/CVS/Repository b/cacert/www/images/CVS/Repository
new file mode 100644
index 0000000..f92346d
--- /dev/null
+++ b/cacert/www/images/CVS/Repository
@@ -0,0 +1 @@
+cacert/www/images
diff --git a/cacert/www/images/CVS/Root b/cacert/www/images/CVS/Root
new file mode 100644
index 0000000..a363882
--- /dev/null
+++ b/cacert/www/images/CVS/Root
@@ -0,0 +1 @@
+/var/lib/cvs
diff --git a/cacert/www/images/cacert2.png b/cacert/www/images/cacert2.png
new file mode 100644
index 0000000..490fe6e
--- /dev/null
+++ b/cacert/www/images/cacert2.png
diff --git a/cacert/www/index.php b/cacert/www/index.php
new file mode 100644
index 0000000..4449267
--- /dev/null
+++ b/cacert/www/index.php
@@ -0,0 +1,621 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/ ?>
+<?
+
+        $id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
+        $oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
+        $process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
+
+        if($id == 2)
+                $id = 0;
+
+        $_SESSION['_config']['errmsg'] = "";
+
+	if($id == 17 || $id == 20)
+	{
+		include_once("../pages/index/$id.php");
+		exit;
+	}
+
+	loadem("index");
+
+	$_SESSION['_config']['hostname'] = $_SERVER['HTTP_HOST'];
+
+	if(($oldid == 6 || $id == 6) && intval($_SESSION['lostpw']['user']['id']) < 1)
+	{
+		$oldid = 0;
+		$id = 5;
+	}
+
+	if($oldid == 6 && $process != "")
+	{
+		$body = "";
+		$answers = 0;
+		$qs = array();
+		$id = $oldid;
+		$oldid = 0;
+		if(array_key_exists('Q1',$_REQUEST) && $_REQUEST['Q1'])
+		{
+			$_SESSION['lostpw']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
+
+			if(stripslashes(strtolower($_SESSION['lostpw']['A1'])) == strtolower($_SESSION['lostpw']['user']['A1']))
+				$answers++;
+			$body .= "System: ".$_SESSION['lostpw']['user']['A1']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A1']))."\n";
+		}
+		if(array_key_exists('Q2',$_REQUEST) && $_REQUEST['Q2'])
+		{
+			$_SESSION['lostpw']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
+
+			if(stripslashes(strtolower($_SESSION['lostpw']['A2'])) == strtolower($_SESSION['lostpw']['user']['A2']))
+				$answers++;
+			$body .= "System: ".$_SESSION['lostpw']['user']['A2']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A2']))."\n";
+		}
+		if(array_key_exists('Q3',$_REQUEST) && $_REQUEST['Q3'])
+		{
+			$_SESSION['lostpw']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
+
+			if(stripslashes(strtolower($_SESSION['lostpw']['A3'])) == strtolower($_SESSION['lostpw']['user']['A3']))
+				$answers++;
+			$body .= "System: ".$_SESSION['lostpw']['user']['A3']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A3']))."\n";
+		}
+		if(array_key_exists('Q4',$_REQUEST) && $_REQUEST['Q4'])
+		{
+			$_SESSION['lostpw']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
+
+			if(stripslashes(strtolower($_SESSION['lostpw']['A4'])) == strtolower($_SESSION['lostpw']['user']['A4']))
+				$answers++;
+			$body .= "System: ".$_SESSION['lostpw']['user']['A4']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A4']))."\n";
+		}
+		if(array_key_exists('Q5',$_REQUEST) && $_REQUEST['Q5'])
+		{
+			$_SESSION['lostpw']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
+
+			if(stripslashes(strtolower($_SESSION['lostpw']['A5'])) == strtolower($_SESSION['lostpw']['user']['A5']))
+				$answers++;
+			$body .= "System: ".$_SESSION['lostpw']['user']['A5']."\nEntered: ".stripslashes(strip_tags($_SESSION['lostpw']['A5']))."\n";
+		}
+
+		$_SESSION['lostpw']['pw1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass1']))));
+		$_SESSION['lostpw']['pw2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['newpass2']))));
+
+		if($answers < $_SESSION['lostpw']['total'] || $answers < 3)
+		{
+			$body = "Someone has just attempted to update the pass phrase on the following account:\n".
+				"Username(ID): ".$_SESSION['lostpw']['user']['email']."(".$_SESSION['lostpw']['user']['id'].")\n".
+				"email: ".$_SESSION['lostpw']['user']['email']."\n".
+				"Requested Pass Phrase: ".$_SESSION['lostpw']['pw1']."\n".
+				"IP/Hostname: ".$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:"")."\n".
+				"---------------------------------------------------------------------\n".$body.
+				"---------------------------------------------------------------------\n";
+			sendmail("support@cacert.org", "[CAcert.org] Requested Pass Phrase Change", $body,
+				$_SESSION['lostpw']['user']['email'], "", "", $_SESSION['lostpw']['user']['fname']);
+			$_SESSION['_config']['errmsg'] = _("You failed to get all answers correct or you didn't configure enough lost password questions for your account. System admins have been notified.");
+		} else if($_SESSION['lostpw']['pw1'] != $_SESSION['lostpw']['pw2'] || $_SESSION['lostpw']['pw1'] == "") {
+			$_SESSION['_config']['errmsg'] = _("New Pass Phrases specified don't match or were blank.");
+		} else if(strlen($_SESSION['lostpw']['pw1']) < 6) {
+			$_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted was too short. It must be at least 6 characters.");
+		} else {
+			$score = checkpw($_SESSION['lostpw']['pw1'], $_SESSION['lostpw']['user']['email'], $_SESSION['lostpw']['user']['fname'],
+				$_SESSION['lostpw']['user']['mname'], $_SESSION['lostpw']['user']['lname'], $_SESSION['lostpw']['user']['suffix']);
+			if($score < 3)
+			{
+				$_SESSION['_config']['errmsg'] = sprintf(_("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored %s points out of 6."), $score);
+			} else {
+				$query = "update `users` set `password`=sha1('".$_SESSION['lostpw']['pw1']."')
+						where `id`='".intval($_SESSION['lostpw']['user']['id'])."'";
+				mysql_query($query) || die(mysql_error());
+				showheader(_("Welcome to CAcert.org"));
+				echo _("Your Pass Phrase has been updated and your primary email account has been notified of the change.");
+				showfooter();
+				exit;
+			}
+		}		
+	}
+
+	if($oldid == 5 && $process != "")
+	{
+		$email = $_SESSION['lostpw']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
+		$_SESSION['lostpw']['day'] = intval($_REQUEST['day']);
+		$_SESSION['lostpw']['month'] = intval($_REQUEST['month']);
+		$_SESSION['lostpw']['year'] = intval($_REQUEST['year']);
+		$dob = $_SESSION['lostpw']['year']."-".$_SESSION['lostpw']['month']."-".$_SESSION['lostpw']['day'];
+		$query = "select * from `users` where `email`='$email' and `dob`='$dob'";
+		$res = mysql_query($query);
+		if(mysql_num_rows($res) <= 0)
+		{
+			$id = $oldid;
+			$oldid = 0;
+			$_SESSION['_config']['errmsg'] = _("Unable to match your details with any user accounts on file");
+		} else {
+			$id = 6;
+			$_SESSION['lostpw']['user'] = mysql_fetch_assoc($res);
+		}
+	}
+
+	if($id == 4 && $_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'])
+	{
+		$query = "select * from `emailcerts` where `serial`='$_SERVER[SSL_CLIENT_M_SERIAL]' and `revoked`=0 and disablelogin=0 and
+				UNIX_TIMESTAMP(`expire`) - UNIX_TIMESTAMP() > 0";
+		$res = mysql_query($query);
+		if(mysql_num_rows($res) > 0)
+		{
+			$row = mysql_fetch_assoc($res);
+			$_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='$row[memid]' and `deleted`=0 and `locked`=0"));
+			if($_SESSION['profile']['id'] != 0)
+			{
+				$_SESSION['profile']['loggedin'] = 1;
+				header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
+				exit;
+			} else {
+				$_SESSION['profile']['loggedin'] = 0;
+			}
+		}
+	}
+
+	if($id == 4 && array_key_exists('profile',$_SESSION) && array_key_exists('loggedin',array($_SESSION['profile'])) && $_SESSION['profile']['loggedin'] == 1)
+	{
+		header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
+		exit;
+	}
+
+	function getOTP64($otp)
+	{
+		$lookupChar = "123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*!-?%:";
+
+		for($i = 0; $i < 6; $i++)
+			$val[$i] = hexdec(substr($otp, $i * 2, 2));
+
+		$tmp1 = $val[0] >> 2;
+		$OTP = $lookupChar[$tmp1 & 63];
+		$tmp2 = $val[0] - ($tmp1 << 2);
+		$tmp1 = $val[1] >> 4;
+		$OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
+		$tmp2 = $val[1] - ($tmp1 << 4);
+		$tmp1 = $val[2] >> 6;
+		$OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
+		$tmp2 = $val[2] - ($tmp1 << 6);
+		$OTP .= $lookupChar[$tmp2 & 63];
+		$tmp1 = $val[3] >> 2;
+		$OTP .= $lookupChar[$tmp1 & 63];
+		$tmp2 = $val[3] - ($tmp1 << 2);
+		$tmp1 = $val[4] >> 4;
+		$OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
+		$tmp2 = $val[4] - ($tmp1 << 4);
+		$tmp1 = $val[5] >> 6;
+		$OTP .= $lookupChar[($tmp1 + $tmp2) & 63];
+		$tmp2 = $val[5] - ($tmp1 << 6);
+		$OTP .= $lookupChar[$tmp2 & 63];
+
+		return $OTP;
+	}
+
+	function getOTP32($otp)
+	{
+		$lookupChar = "0123456789abcdefghkmnoprstuvwxyz";
+
+		for($i = 0; $i < 7; $i++)
+			$val[$i] = hexdec(substr($otp, $i * 2, 2));
+
+		$tmp1 = $val[0] >> 3;
+		$OTP = $lookupChar[$tmp1 & 31];
+		$tmp2 = $val[0] - ($tmp1 << 3);
+		$tmp1 = $val[1] >> 6;
+		$OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
+		$tmp2 = ($val[1] - ($tmp1 << 6)) >> 1;
+		$OTP .= $lookupChar[$tmp2 & 31];
+		$tmp2 = $val[1] - (($val[1] >> 1) << 1);
+		$tmp1 = $val[2] >> 4;
+		$OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
+		$tmp2 = $val[2] - ($tmp1 << 4);
+		$tmp1 = $val[3] >> 7;
+		$OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
+		$tmp2 = ($val[3] - ($tmp1 << 7)) >> 2;
+		$OTP .= $lookupChar[$tmp2 & 31];
+		$tmp2 = $val[3] - (($val[3] - ($tmp1 << 7)) >> 2) << 2;
+		$tmp1 = $val[4] >> 5;
+		$OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
+		$tmp2 = $val[4] - ($tmp1 << 5);
+		$OTP .= $lookupChar[$tmp2 & 31];
+		$tmp1 = $val[5] >> 3;
+		$OTP .= $lookupChar[$tmp1 & 31];
+		$tmp2 = $val[5] - ($tmp1 << 3);
+		$tmp1 = $val[6] >> 6;
+		$OTP .= $lookupChar[($tmp1 + $tmp2) & 31];
+
+		return $OTP;
+       }
+
+	if($oldid == 4)
+	{
+		$oldid = 0;
+		$id = 4;
+
+		$_SESSION['_config']['errmsg'] = "";
+
+		$email = mysql_escape_string(stripslashes(strip_tags(trim($_REQUEST['email']))));
+		$pword = mysql_escape_string(stripslashes(trim($_REQUEST['pword'])));
+		$query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
+						`password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
+		$res = mysql_query($query);
+		if(mysql_num_rows($res) <= 0)
+		{
+			$otpquery = "select * from `users` where `email`='$email' and `otphash`!='' and `verified`=1 and `deleted`=0 and `locked`=0";
+			$otpres = mysql_query($otpquery);
+			if(mysql_num_rows($otpres) > 0)
+			{
+				$otp = mysql_fetch_assoc($otpres);
+				$otphash = $otp['otphash'];
+				$otppin = $otp['otppin'];
+				if(strlen($pword) == 6)
+				{
+					$matchperiod = 18;
+					$time = round(gmdate("U") / 10);
+				} else {
+					$matchperiod = 3;
+					$time = round(gmdate("U") / 60);
+				}
+
+				$query = "delete from `otphashes` where UNIX_TIMESTAMP(`when`) <= UNIX_TIMESTAMP(NOW()) - 600";
+				mysql_query($query);
+
+				$query = "select * from `otphashes` where `username`='$email' and `otp`='$pword'";
+				if(mysql_num_rows(mysql_query($query)) <= 0)
+				{
+					$query = "insert into `otphashes` set `when`=NOW(), `username`='$email', `otp`='$pword'";
+					mysql_query($query);
+					for($i = $time - $matchperiod; $i <= $time + $matchperiod * 2; $i++)
+					{
+						if($otppin > 0)
+							$tmpmd5 = md5("$i$otphash$otppin");
+						else
+							$tmpmd5 = md5("$i$otphash");
+
+						if(strlen($pword) == 6)
+							$md5 = substr(md5("$i$otphash"), 0, 6);
+						else if(strlen($pword) == 8)
+							$md5 = getOTP64(md5("$i$otphash"));
+						else
+							$md5 = getOTP32(md5("$i$otphash"));
+
+						if($pword == $md5)
+							$res = mysql_query($otpquery);
+					}
+				}
+			}
+		}
+		if(mysql_num_rows($res) > 0)
+		{
+			$_SESSION['profile'] = "";
+			unset($_SESSION['profile']);
+			$_SESSION['profile'] = mysql_fetch_assoc($res);
+			$query = "update `users` set `modified`=NOW(), `password`=sha1('$pword') where `id`='".$_SESSION['profile']['id']."'";
+			mysql_query($query);
+
+			if($_SESSION['profile']['language'] == "")
+			{
+				$query = "update `users` set `language`='".$_SESSION['_config']['language']."'
+						where `id`='".$_SESSION['profile']['id']."'";
+				mysql_query($query);
+			} else {
+				$_SESSION['_config']['language'] = $_SESSION['profile']['language'];
+
+				putenv("LANG=".$_SESSION['_config']['language']);
+				setlocale(LC_ALL, $_SESSION['_config']['language']);
+
+				$domain = 'messages';
+				bindtextdomain("$domain", $_SESSION['_config']['filepath']."/locale");
+				textdomain("$domain");
+			}
+			$query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' group by `to`";
+			$res = mysql_query($query);
+			$row = mysql_fetch_assoc($res);
+			$_SESSION['profile']['points'] = $row['total'];
+			$_SESSION['profile']['loggedin'] = 1;
+			if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" ||
+				$_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" ||
+				$_SESSION['profile']['Q5'] == "")
+			{
+				$_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>";
+				$_SESSION['_config']['oldlocation'] = "account.php?id=13";
+			}
+			if($_SESSION['_config']['oldlocation'] != "")
+				header("location: https://".$_SERVER['HTTP_HOST']."/".$_SESSION['_config']['oldlocation']);
+			else
+				header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
+			exit;
+		}
+
+		$query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
+						`password`=password('$pword')) and `verified`=0 and `deleted`=0";
+		$res = mysql_query($query);
+		if(mysql_num_rows($res) <= 0)
+		{
+			$_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
+		} else {
+			$_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");
+		}
+	}
+
+	if($process && $oldid == 1)
+	{
+		$id = 2;
+		$oldid = 0;
+
+		$_SESSION['_config']['errmsg'] = "";
+
+		$_SESSION['signup']['email'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['email']))));
+		$_SESSION['signup']['fname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['fname']))));
+		$_SESSION['signup']['mname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['mname']))));
+		$_SESSION['signup']['lname'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['lname']))));
+		$_SESSION['signup']['suffix'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['suffix']))));
+		$_SESSION['signup']['day'] = intval($_REQUEST['day']);
+		$_SESSION['signup']['month'] = intval($_REQUEST['month']);
+		$_SESSION['signup']['year'] = intval($_REQUEST['year']);
+		$_SESSION['signup']['pword1'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword1'])));
+		$_SESSION['signup']['pword2'] = trim(mysql_escape_string(stripslashes($_REQUEST['pword2'])));
+		$_SESSION['signup']['Q1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q1']))));
+		$_SESSION['signup']['Q2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q2']))));
+		$_SESSION['signup']['Q3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q3']))));
+		$_SESSION['signup']['Q4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q4']))));
+		$_SESSION['signup']['Q5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['Q5']))));
+		$_SESSION['signup']['A1'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A1']))));
+		$_SESSION['signup']['A2'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A2']))));
+		$_SESSION['signup']['A3'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A3']))));
+		$_SESSION['signup']['A4'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A4']))));
+		$_SESSION['signup']['A5'] = trim(mysql_escape_string(stripslashes(strip_tags($_REQUEST['A5']))));
+		$_SESSION['signup']['general'] = intval(array_key_exists('general',$_REQUEST)?$_REQUEST['general']:0);
+		$_SESSION['signup']['country'] = intval(array_key_exists('country',$_REQUEST)?$_REQUEST['country']:0);
+		$_SESSION['signup']['regional'] = intval(array_key_exists('regional',$_REQUEST)?$_REQUEST['regional']:0);
+		$_SESSION['signup']['radius'] = intval(array_key_exists('radius',$_REQUEST)?$_REQUEST['radius']:0);
+		$_SESSION['signup']['cca_agree'] = intval(array_key_exists('cca_agree',$_REQUEST)?$_REQUEST['cca_agree']:0);
+
+
+		if($_SESSION['signup']['Q1'] == $_SESSION['signup']['Q2'] ||
+			$_SESSION['signup']['Q1'] == $_SESSION['signup']['Q3'] ||
+			$_SESSION['signup']['Q1'] == $_SESSION['signup']['Q4'] ||
+			$_SESSION['signup']['Q1'] == $_SESSION['signup']['Q5'] ||
+			$_SESSION['signup']['Q2'] == $_SESSION['signup']['Q3'] ||
+			$_SESSION['signup']['Q2'] == $_SESSION['signup']['Q4'] ||
+			$_SESSION['signup']['Q2'] == $_SESSION['signup']['Q5'] ||
+			$_SESSION['signup']['Q3'] == $_SESSION['signup']['Q4'] ||
+			$_SESSION['signup']['Q3'] == $_SESSION['signup']['Q5'] ||
+			$_SESSION['signup']['Q4'] == $_SESSION['signup']['Q5'] ||
+			$_SESSION['signup']['A1'] == $_SESSION['signup']['Q1'] ||
+			$_SESSION['signup']['A1'] == $_SESSION['signup']['Q2'] ||
+			$_SESSION['signup']['A1'] == $_SESSION['signup']['Q3'] ||
+			$_SESSION['signup']['A1'] == $_SESSION['signup']['Q4'] ||
+			$_SESSION['signup']['A1'] == $_SESSION['signup']['Q5'] ||
+			$_SESSION['signup']['A2'] == $_SESSION['signup']['Q3'] ||
+			$_SESSION['signup']['A2'] == $_SESSION['signup']['Q4'] ||
+			$_SESSION['signup']['A2'] == $_SESSION['signup']['Q5'] ||
+			$_SESSION['signup']['A3'] == $_SESSION['signup']['Q4'] ||
+			$_SESSION['signup']['A3'] == $_SESSION['signup']['Q5'] ||
+			$_SESSION['signup']['A4'] == $_SESSION['signup']['Q5'] ||
+			$_SESSION['signup']['A1'] == $_SESSION['signup']['A2'] ||
+			$_SESSION['signup']['A1'] == $_SESSION['signup']['A3'] ||
+			$_SESSION['signup']['A1'] == $_SESSION['signup']['A4'] ||
+			$_SESSION['signup']['A1'] == $_SESSION['signup']['A5'] ||
+			$_SESSION['signup']['A2'] == $_SESSION['signup']['A3'] ||
+			$_SESSION['signup']['A2'] == $_SESSION['signup']['A4'] ||
+			$_SESSION['signup']['A2'] == $_SESSION['signup']['A5'] ||
+			$_SESSION['signup']['A3'] == $_SESSION['signup']['A4'] ||
+			$_SESSION['signup']['A3'] == $_SESSION['signup']['A5'] ||
+			$_SESSION['signup']['A4'] == $_SESSION['signup']['A5'])
+		{
+			$id = 1;
+			$_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 different password questions and answers. You aren't allowed to duplicate questions, set questions as answers or use the question as the answer.")."<br>\n";
+		}
+
+		if($_SESSION['signup']['Q1'] == "" || $_SESSION['signup']['Q2'] == "" ||
+			$_SESSION['signup']['Q3'] == "" || $_SESSION['signup']['Q4'] == "" ||
+			$_SESSION['signup']['Q5'] == "")
+		{
+			$id = 1;
+			$_SESSION['_config']['errmsg'] .= _("For your own security you must enter 5 lost password questions and answers.")."<br>\n";
+		}
+		if($_SESSION['signup']['fname'] == "" || $_SESSION['signup']['lname'] == "")
+		{
+			$id = 1;
+			$_SESSION['_config']['errmsg'] .= _("First and/or last names were blank.")."<br>\n";
+		}
+		if($_SESSION['signup']['year'] < 1900 || $_SESSION['signup']['month'] < 1 || $_SESSION['signup']['month'] > 12 ||
+			$_SESSION['signup']['day'] < 1 || $_SESSION['signup']['day'] > 31 ||
+			!checkdate($_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) ||
+			mktime(0,0,0,$_SESSION['signup']['month'],$_SESSION['signup']['day'],$_SESSION['signup']['year']) > time() )
+		{
+			$id = 1;
+			$_SESSION['_config']['errmsg'] .= _("Invalid date of birth")."<br>\n";
+		}
+		if($_SESSION['signup']['cca_agree'] == "0")
+		{
+		        $id = 1;
+		        $_SESSION['_config']['errmsg'] .= _("You have to agree to the CAcert Community agreement.")."<br>\n";
+		}
+		if($_SESSION['signup']['email'] == "")
+		{
+			$id = 1;
+			$_SESSION['_config']['errmsg'] .= _("Email Address was blank")."<br>\n";
+		}
+		if($_SESSION['signup']['pword1'] == "")
+		{
+			$id = 1;
+			$_SESSION['_config']['errmsg'] .= _("Pass Phrases were blank")."<br>\n";
+		}
+		if($_SESSION['signup']['pword1'] != $_SESSION['signup']['pword2'])
+		{
+			$id = 1;
+			$_SESSION['_config']['errmsg'] .= _("Pass Phrases don't match")."<br>\n";
+		}
+
+		$score = checkpw($_SESSION['signup']['pword1'], $_SESSION['signup']['email'], $_SESSION['signup']['fname'], $_SESSION['signup']['mname'], $_SESSION['signup']['lname'], $_SESSION['signup']['suffix']);
+		if($score < 3)
+		{
+			$id = 1;
+			$_SESSION['_config']['errmsg'] = _("The Pass Phrase you submitted failed to contain enough differing characters and/or contained words from your name and/or email address. Only scored $score points out of 6.");
+		}
+
+		if($id == 2)
+		{
+			$query = "select * from `email` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
+			$res1 = mysql_query($query);
+
+			$query = "select * from `users` where `email`='".$_SESSION['signup']['email']."' and `deleted`=0";
+			$res2 = mysql_query($query);
+			if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0)
+			{
+				$id = 1;
+				$_SESSION['_config']['errmsg'] .= _("This email address is currently valid in the system.")."<br>\n";
+			}
+
+			$query = "select `domain` from `baddomains` where `domain`=RIGHT('".$_SESSION['signup']['email']."', LENGTH(`domain`))";
+			$res = mysql_query($query);
+			if(mysql_num_rows($res) > 0)
+			{
+				$domain = mysql_fetch_assoc($res);
+				$domain = $domain['domain'];
+				$id = 1;
+				$_SESSION['_config']['errmsg'] .= sprintf(_("We don't allow signups from people using email addresses from %s"), $domain)."<br>\n";
+			}
+		}
+
+		if($id == 2)
+		{
+			$checkemail = checkEmail($_SESSION['signup']['email']);
+			if($checkemail != "OK")
+			{
+				$id = 1;
+				if (substr($checkemail, 0, 1) == "4") 
+				{
+					$_SESSION['_config']['errmsg'] .= _("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.");
+				} else {
+					$_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid");
+				}
+				$_SESSION['_config']['errmsg'] .= "<br>\n$checkemail<br>\n";
+			}
+		}
+
+		if($id == 2)
+		{
+			$hash = make_hash();
+
+			$query = "insert into `users` set `email`='".$_SESSION['signup']['email']."',
+							`password`=sha1('".$_SESSION['signup']['pword1']."'),
+							`fname`='".$_SESSION['signup']['fname']."',
+							`mname`='".$_SESSION['signup']['mname']."',
+							`lname`='".$_SESSION['signup']['lname']."',
+							`suffix`='".$_SESSION['signup']['suffix']."',
+							`dob`='".$_SESSION['signup']['year']."-".$_SESSION['signup']['month']."-".$_SESSION['signup']['day']."',
+							`Q1`='".$_SESSION['signup']['Q1']."',
+							`Q2`='".$_SESSION['signup']['Q2']."',
+							`Q3`='".$_SESSION['signup']['Q3']."',
+							`Q4`='".$_SESSION['signup']['Q4']."',
+							`Q5`='".$_SESSION['signup']['Q5']."',
+							`A1`='".$_SESSION['signup']['A1']."',
+							`A2`='".$_SESSION['signup']['A2']."',
+							`A3`='".$_SESSION['signup']['A3']."',
+							`A4`='".$_SESSION['signup']['A4']."',
+							`A5`='".$_SESSION['signup']['A5']."',
+							`created`=NOW(), `uniqueID`=SHA1(CONCAT(NOW(),'$hash'))";
+			mysql_query($query);
+			$memid = mysql_insert_id();
+			$query = "insert into `email` set `email`='".$_SESSION['signup']['email']."',
+							`hash`='$hash',
+							`created`=NOW(),
+							`memid`='$memid'";
+			mysql_query($query);
+			$emailid = mysql_insert_id();
+			$query = "insert into `alerts` set `memid`='$memid',
+						`general`='".$_SESSION['signup']['general']."',
+						`country`='".$_SESSION['signup']['country']."',
+						`regional`='".$_SESSION['signup']['regional']."',
+						`radius`='".$_SESSION['signup']['radius']."'";
+			mysql_query($query);
+
+			$body = _("Thanks for signing up with CAcert.org, below is the link you need to open to verify your account. Once your account is verified you will be able to start issuing certificates till your hearts' content!")."\n\n";
+			$body .= "http://".$_SESSION['_config']['normalhostname']."/verify.php?type=email&emailid=$emailid&hash=$hash\n\n"; //."&"."lang=".$_SESSION['_config']['language']."\n\n";
+			$body .= _("Best regards")."\n"._("CAcert.org Support!");
+
+			sendmail($_SESSION['signup']['email'], "[CAcert.org] "._("Mail Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
+			foreach($_SESSION['signup'] as $key => $val)
+				$_SESSION['signup'][$key] = "";
+			unset($_SESSION['signup']);
+		}
+	}
+
+	if($oldid == 11 && $process != "")
+	{
+		$who = stripslashes($_REQUEST['who']);
+		$email = stripslashes($_REQUEST['email']);
+		$subject = stripslashes($_REQUEST['subject']);
+		$message = stripslashes($_REQUEST['message']);
+		$secrethash = $_REQUEST['secrethash2'];
+
+		if($_SESSION['_config']['secrethash'] != $secrethash || $secrethash == "" || $_SESSION['_config']['secrethash'] == "" ||
+			strstr($subject, "botmetka") || strstr($subject, "servermetka") || strstr($who,"\n") || strstr($email,"\n") || strstr($subject,"\n") )
+		{
+			$id = $oldid;
+			$process = "";
+			$_SESSION['_config']['errmsg'] = _("This seems like potential spam, or you have cookies or Javascript disabled, cannot continue.");
+			$oldid = 0;
+
+			$message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
+			sendmail("support@cacert.org", "[CAcert.org] Possible SPAM", $message, $email, "", "", "CAcert Support");
+			//echo "Alert! Alert! Alert! SPAM SPAM SPAM!!!<br><br><br>";
+			//if($_SESSION['_config']['secrethash'] != $secrethash) echo "Hash does not match: $secrethash vs. ".$_SESSION['_config']['secrethash']."\n";
+			echo "This seems like potential spam, or you have cookies or Javascript disabled, cannot continue.";
+			die;
+		}
+
+		if(trim($who) == "" || trim($email) == "" || trim($subject) == "" || trim($message) == "")
+		{
+			$id = $oldid;
+			$process = "";
+			$_SESSION['_config']['errmsg'] = _("All fields are mandatory.")."<br>\n";
+			$oldid = 0;
+		}
+	}
+
+	if($oldid == 11 && $process != "" && $_REQUEST['support'] != "yes")
+	{
+		$message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
+
+		sendmail("support@cacert.org", "[CAcert.org] ".$subject, $message, $email, "", "", "CAcert Support");
+		showheader(_("Welcome to CAcert.org"));
+		echo _("Your message has been sent.");
+		showfooter();
+		exit;
+	}
+
+	if($oldid == 11 && $process != "" && $_REQUEST['support'] == "yes")
+	{
+		$message = "From: $who\nEmail: $email\nSubject: $subject\n\nMessage:\n".$message;
+
+		sendmail("cacert-support@lists.cacert.org", "[website form email]: ".$subject, $message, "website-form@cacert.org", "cacert-support@lists.cacert.org, $email", "", "CAcert-Website");
+		showheader(_("Welcome to CAcert.org"));
+		echo _("Your message has been sent to the general support list.");
+		showfooter();
+		exit;
+	}
+
+	if(!array_key_exists('signup',$_SESSION) || $_SESSION['signup']['year'] < 1900)
+		$_SESSION['signup']['year'] = "19XX";
+
+	showheader(_("Welcome to CAcert.org"));
+	includeit($id);
+	showfooter();
+?>
diff --git a/cacert/www/logos.php b/cacert/www/logos.php
new file mode 100644
index 0000000..25d2d82
--- /dev/null
+++ b/cacert/www/logos.php
@@ -0,0 +1,52 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+        loadem("index");
+        showheader(_("Welcome to CAcert.org"));
+?>
+<h3><?=_("CAcert Logos")?></h3>
+
+<p><?=sprintf(_("On this page you find a number of logos to add to your website. Help CAcert to get some publicity by using a logo to link back to %s or to indicate that you or your website are using a CAcert certificates for security and privacy."), "<a href='http://www.cacert.org/'>http://www.cacert.org/</a>")?></p>
+<p><?=sprintf(_("If you want to use the graphics and design, or you want to contribute something, please read the %sCAcert Styleguide%s"),"<a href='http://www.cacert.at/svn/sourcerer/CAcert/PR/CAcert_Styleguide.pdf'>","</a>")?></p>
+
+<h4><?=_("Collection 1 created by Christoph Probst (November 2004)")?></h4>
+
+<p>
+  <img src="logos/cacert1.png" alt="www.cacert.org logo" /><br /><br />
+  <img src="logos/cacert-free-certificates2.png" alt="www.cacert.org logo" />&nbsp;&nbsp;
+  <img src="logos/cacert-free-certificates3.png" alt="www.cacert.org logo" />&nbsp;&nbsp;<br /><br />
+  <img src="logos/cacert-grey.png" alt="www.cacert.org"  />&nbsp;&nbsp;
+  <img src="logos/small-ssl-security.png" alt="www.cacert.org" border="0" /><br /><br />
+</p>
+
+
+<h3><?=_("How can I put a logo on to my website?")?></h3>
+
+<p><?=_("It is extremly easy! Just pick an image from the collections above and use it for example with the following html code fragment:")?>
+<br /><br />
+<pre>&lt;a href=&quot;http://www.cacert.org/&quot;&gt;&lt;img src=&quot;INSERT-FILENAME.PNG&quot; alt=&quot;www.cacert.org&quot; style=&quot;border-width: 0px;&quot; /&gt;&lt;/a&gt;</pre>
+</p>
+
+<p><?=_("The result should get you something like:")?>
+<a href="http://www.cacert.org/"><img src="logos/small-ssl-security.png" alt="www.cacert.org" style="border-width: 0px;" /></a>
+</p>
+
+<h3><?=_("Create more badges")?></h3>
+
+<p><?=_(sprintf("CAcert lives from the community! If you want to contribute additional images please send them to %s to have them added to this website.", "<a href='mailto:cacert@lists.cacert.org'>cacert@lists.cacert.org</a>"))?></p>
+<? showfooter(); ?>
+
diff --git a/cacert/www/logos/CAcert-logo-colour.eps b/cacert/www/logos/CAcert-logo-colour.eps
new file mode 100644
index 0000000..f3f6222
--- /dev/null
+++ b/cacert/www/logos/CAcert-logo-colour.eps
@@ -0,0 +1,379 @@
+%!PS-Adobe-2.0 EPSF-3.0
+%%Title: (Official CAcert Logo)
+%%Copyright: (Copyright 2006-2007 CAcert.org)
+%%BoundingBox: 72 385 480 478
+%%Creator: inkscape 0.45.1
+%%EndComments
+% This image has been generated from the official CAcert master logo.
+% EPSF created by ps2eps 1.64
+%%BeginProlog
+save
+countdictstack
+mark
+newpath
+/showpage {} def
+/setpagedevice {pop} def
+%%EndProlog
+%%Page 1 1
+%%Page: 1 1
+0 842 translate
+0.8 -0.8 scale
+0 0 0 setrgbcolor
+[] 0 setdash
+1 setlinewidth
+0 setlinejoin
+0 setlinecap
+gsave [1 0 0 1 0 0] concat
+gsave [190.3115 0 0 182.3379 -18134.796 -61308.017] concat
+gsave
+0.06666667 0.33725491 0.54901963 setrgbcolor
+newpath
+97.097476 339.34192 moveto
+97.060486 339.34192 97.026641 339.33751 96.995942 339.32871 curveto
+96.965494 339.3199 96.938946 339.30631 96.916299 339.28794 curveto
+96.893904 339.26957 96.876541 339.24642 96.864211 339.21849 curveto
+96.851881 339.19056 96.845716 339.15785 96.845716 339.12035 curveto
+96.845716 339.08085 96.852258 339.04675 96.865343 339.01806 curveto
+96.87868 338.98938 96.897175 338.9656 96.920829 338.94672 curveto
+96.943727 338.92886 96.970149 338.91577 97.000094 338.90747 curveto
+97.030038 338.89917 97.061115 338.89501 97.093324 338.89501 curveto
+97.122262 338.89501 97.148935 338.89816 97.173344 338.90445 curveto
+97.197752 338.91074 97.220525 338.91892 97.241663 338.92898 curveto
+97.241663 339.04486 lineto
+97.222413 339.04486 lineto
+97.217128 339.04033 97.210711 339.03505 97.203163 339.02901 curveto
+97.195865 339.02297 97.186806 339.01706 97.175986 339.01127 curveto
+97.165669 339.00573 97.154345 339.0012 97.142015 338.99768 curveto
+97.129685 338.99391 97.115342 338.99202 97.098986 338.99202 curveto
+97.06275 338.99202 97.034819 339.00359 97.015192 339.02674 curveto
+96.995816 339.04964 96.986128 339.08085 96.986128 339.12035 curveto
+96.986128 339.16112 96.996067 339.19207 97.015947 339.21321 curveto
+97.036077 339.23434 97.064512 339.24491 97.101251 339.24491 curveto
+97.118361 339.24491 97.133711 339.24302 97.1473 339.23925 curveto
+97.161139 339.23522 97.172589 339.23057 97.181648 339.22528 curveto
+97.190203 339.22025 97.197752 339.21497 97.204295 339.20943 curveto
+97.210837 339.20389 97.216876 339.19848 97.222413 339.1932 curveto
+97.241663 339.1932 lineto
+97.241663 339.30908 lineto
+97.220273 339.31914 97.197878 339.32707 97.174476 339.33286 curveto
+97.151326 339.3389 97.125659 339.34192 97.097476 339.34192 curveto
+fill
+grestore
+grestore
+gsave [0.9898382 0 0 1.0102662 0 0] concat
+gsave
+0.06666667 0.33725491 0.54901963 setrgbcolor
+newpath
+467.36756 524.50343 moveto
+409.4312 524.50343 lineto
+409.80616 530.69084 412.14986 535.42512 416.46231 538.70628 curveto
+420.82155 541.98748 427.21986 543.62807 435.65724 543.62806 curveto
+441.00082 543.62807 446.1804 542.66715 451.196 540.7453 curveto
+456.21145 538.82348 460.1723 536.76103 463.07858 534.55792 curveto
+465.89102 534.55792 lineto
+465.89102 554.87783 lineto
+460.1723 557.17467 454.78179 558.83869 449.71947 559.86992 curveto
+444.657 560.90115 439.05555 561.41677 432.91511 561.41677 curveto
+417.07163 561.41677 404.93126 557.85434 396.49395 550.72948 curveto
+388.05661 543.60463 383.83795 533.45641 383.83795 520.28477 curveto
+383.83795 507.25382 387.82224 496.94154 395.79084 489.34788 curveto
+403.80628 481.70748 414.7748 477.88725 428.69644 477.88716 curveto
+441.53988 477.88725 451.19593 481.14499 457.66462 487.66041 curveto
+464.13316 494.1291 467.36747 503.45703 467.36756 515.64423 curveto
+467.36756 524.50343 lineto
+442.19618 509.66779 moveto
+442.05549 504.37107 440.74302 500.38678 438.25875 497.7149 curveto
+435.77437 495.04314 431.90726 493.70723 426.65742 493.70716 curveto
+421.78247 493.70723 417.77474 494.97283 414.63422 497.50396 curveto
+411.49362 500.03522 409.73585 504.08983 409.36089 509.66779 curveto
+442.19618 509.66779 lineto
+fill
+grestore
+grestore
+gsave [53.91831 0 0 52.52882 -7062.3821 -23053.485] concat
+gsave
+0.06666667 0.33725491 0.54901963 setrgbcolor
+newpath
+140.80005 448.61115 moveto
+140.75777 448.61115 lineto
+140.73751 448.60411 140.70492 448.59882 140.66001 448.5953 curveto
+140.61508 448.59178 140.57765 448.59001 140.5477 448.59001 curveto
+140.47988 448.59001 140.41999 448.59442 140.36802 448.60322 curveto
+140.31605 448.61203 140.26012 448.62701 140.20023 448.64815 curveto
+140.20023 449.64168 lineto
+139.7246 449.64168 lineto
+139.7246 448.15798 lineto
+140.20023 448.15798 lineto
+140.20023 448.37598 lineto
+140.30504 448.28614 140.39621 448.22669 140.47372 448.19762 curveto
+140.55123 448.16767 140.62257 448.1527 140.68775 448.1527 curveto
+140.70448 448.1527 140.72342 448.15314 140.74456 448.15402 curveto
+140.7657 448.1549 140.7842 448.15622 140.80005 448.15798 curveto
+140.80005 448.61115 lineto
+fill
+grestore
+grestore
+gsave
+0.06666667 0.33725491 0.54901963 setrgbcolor
+newpath
+574.30708 466.71752 moveto
+548.36958 476.78002 lineto
+548.36958 488.62377 lineto
+537.65083 488.62377 lineto
+537.65083 505.31127 lineto
+548.36958 505.31127 lineto
+548.36958 541.18627 lineto
+548.36958 550.57002 550.82438 557.18936 555.74458 561.06127 curveto
+560.71263 564.93369 568.24046 566.87377 578.36958 566.87377 curveto
+582.90379 566.87377 586.76551 566.65849 589.90083 566.24877 curveto
+593.03618 565.88422 595.97811 565.36967 598.77583 564.68627 curveto
+598.77583 547.81127 lineto
+596.61958 547.81127 lineto
+595.75134 548.26669 594.21326 548.76497 591.99458 549.31127 curveto
+589.8237 549.85809 588.06382 550.12429 586.71333 550.12377 curveto
+583.43337 550.1243 580.91853 549.69087 579.18208 548.78002 curveto
+577.49398 547.82347 576.2948 546.53105 575.61958 544.93627 curveto
+574.89595 543.34202 574.5117 541.53452 574.46333 539.53002 curveto
+574.41494 537.52552 574.40083 535.18668 574.40083 532.49877 curveto
+574.40083 505.31127 lineto
+598.77583 505.31127 lineto
+598.77583 488.62377 lineto
+574.40083 488.62377 lineto
+574.40083 466.71752 lineto
+574.30708 466.71752 lineto
+closepath
+fill
+grestore
+gsave
+0.06666667 0.33725491 0.54901963 setrgbcolor
+newpath
+144.89044 568.716 moveto
+137.10914 568.716 129.91383 567.56757 123.3045 565.27069 curveto
+116.74197 562.97382 111.09354 559.55195 106.35919 555.00507 curveto
+101.6248 550.45821 97.945116 544.78634 95.320129 537.98944 curveto
+92.741996 531.1926 91.452935 523.34105 91.452942 514.43475 curveto
+91.452935 506.13794 92.695121 498.61451 95.179504 491.86444 curveto
+97.663866 485.11452 101.27324 479.32547 106.00763 474.49725 curveto
+110.55448 469.85673 116.17947 466.27079 122.88263 463.73944 curveto
+129.63258 461.2083 136.99195 459.94267 144.96075 459.94257 curveto
+149.36694 459.94267 153.32787 460.20048 156.84357 460.716 curveto
+160.40599 461.18486 163.68724 461.81767 166.68732 462.61444 curveto
+169.82786 463.50517 172.66379 464.51298 175.19513 465.63788 curveto
+177.77316 466.7161 180.02316 467.72391 181.94513 468.66132 curveto
+181.94513 494.04413 lineto
+178.85138 494.04413 lineto
+177.53879 492.9192 175.87473 491.58327 173.85919 490.03632 curveto
+171.89035 488.48952 169.64036 486.96608 167.10919 485.466 curveto
+164.53099 483.96609 161.74193 482.70046 158.742 481.66913 curveto
+155.74193 480.63796 152.531 480.12234 149.10919 480.12225 curveto
+145.31226 480.12234 141.70288 480.73171 138.28107 481.95038 curveto
+134.85914 483.12234 131.69508 485.09109 128.78888 487.85663 curveto
+126.02321 490.52858 123.77321 494.06764 122.03888 498.47382 curveto
+120.35134 502.88013 119.50759 508.22387 119.50763 514.50507 curveto
+119.50759 521.06761 120.42166 526.55198 122.24982 530.95819 curveto
+124.12478 535.36447 126.46852 538.83322 129.28107 541.36444 curveto
+132.14039 543.94259 135.32789 545.79415 138.84357 546.91913 curveto
+142.35913 547.99727 145.82788 548.53633 149.24982 548.53632 curveto
+152.531 548.53633 155.76537 548.04415 158.95294 547.05975 curveto
+162.18724 546.0754 165.1638 544.73946 167.88263 543.05194 curveto
+170.17942 541.69259 172.31223 540.23947 174.28107 538.69257 curveto
+176.24972 537.14572 177.86691 535.80978 179.13263 534.68475 curveto
+181.94513 534.68475 lineto
+181.94513 559.716 lineto
+179.32003 560.88788 176.81222 561.98945 174.42169 563.02069 curveto
+172.03098 564.05194 169.52317 564.94257 166.89825 565.69257 curveto
+163.4763 566.67694 160.26537 567.42694 157.26544 567.94257 curveto
+154.26537 568.45819 150.14038 568.716 144.89044 568.716 curveto
+fill
+grestore
+gsave
+0.06666667 0.33725491 0.54901963 setrgbcolor
+newpath
+299.02858 565.61475 moveto
+271.11452 565.61475 lineto
+263.87233 544.45068 lineto
+225.05983 544.45068 lineto
+217.81764 565.61475 lineto
+190.6067 565.61475 lineto
+229.27858 460.91943 lineto
+260.3567 460.91943 lineto
+299.02858 565.61475 lineto
+257.33327 525.25537 moveto
+244.46608 487.7085 lineto
+231.59889 525.25537 lineto
+257.33327 525.25537 lineto
+fill
+grestore
+gsave
+0 0.74509805 0 setrgbcolor
+newpath
+156.20713 485.6924 moveto
+151.61497 485.92645 146.53911 489.7176 146.03883 494.92754 curveto
+145.4869 500.67546 148.26237 503.92495 152.49239 506.15492 curveto
+154.60741 507.26991 157.05196 507.59282 159.51261 507.19379 curveto
+161.97326 506.79475 164.38719 505.59681 166.12358 503.16425 curveto
+166.84511 502.14714 166.60551 500.7377 165.58841 500.01617 curveto
+164.5713 499.29464 163.16186 499.53423 162.44033 500.55134 curveto
+161.32625 502.11209 160.11564 502.53979 158.78855 502.755 curveto
+157.46146 502.9702 155.9795 502.88326 154.60161 502.15686 curveto
+151.84582 500.70407 150.3046 498.40832 150.47762 495.33053 curveto
+150.65118 492.24322 153.7485 490.25875 156.67934 490.19416 curveto
+159.61018 490.12957 162.42287 491.52891 163.41623 495.41997 curveto
+163.53344 496.27859 164.13425 496.9792 164.95879 497.24586 curveto
+165.78333 497.51251 166.69059 497.30659 167.28837 496.6792 curveto
+167.88615 496.05181 168.06675 495.12884 167.76058 494.31814 curveto
+166.28173 488.52534 161.25483 485.58879 156.55342 485.6924 curveto
+156.44323 485.69483 156.31733 485.68679 156.20713 485.6924 curveto
+closepath
+93.245528 487.10904 moveto
+93.176109 487.11777 93.109751 487.15058 93.056642 487.172 curveto
+93.04119 487.1788 93.007664 487.19558 92.993682 487.20348 curveto
+92.98934 487.20635 92.96637 487.23197 92.962201 487.23496 curveto
+92.954171 487.2412 92.938093 487.25973 92.93072 487.26644 curveto
+92.923658 487.27338 92.905646 487.29051 92.899239 487.29792 curveto
+92.896348 487.30186 92.870477 487.32535 92.867758 487.3294 curveto
+92.860555 487.34225 92.842029 487.3785 92.836277 487.39237 curveto
+92.834513 487.3971 92.837869 487.419 92.836277 487.42385 curveto
+92.831965 487.43871 92.807666 487.47096 92.804796 487.48681 curveto
+92.804 487.4922 92.80543 487.51279 92.804796 487.51829 curveto
+92.753551 488.11992 94.614927 490.07108 95.354742 490.82377 curveto
+96.117856 491.60015 102.42037 496.64376 105.96377 499.04026 curveto
+109.52968 501.45199 117.7224 505.8179 119.81532 506.8475 curveto
+121.88951 507.86787 128.33361 510.56188 132.59653 511.85295 curveto
+139.93056 514.07413 147.46559 515.357 154.75901 515.91397 curveto
+162.05243 516.47095 169.1163 516.28407 175.50486 515.5362 curveto
+188.28198 514.04044 198.50485 510.68304 203.3024 504.80125 curveto
+205.70118 501.86036 206.93955 497.10177 204.21535 494.12926 curveto
+201.25159 490.89537 194.38051 488.25484 193.95261 488.24235 curveto
+193.92865 488.24222 193.87996 488.24074 193.85816 488.24235 curveto
+193.84411 488.2438 193.80832 488.24015 193.7952 488.24235 curveto
+193.78888 488.24364 193.76982 488.24088 193.76372 488.24235 curveto
+193.75785 488.244 193.73788 488.27199 193.73224 488.27383 curveto
+193.72682 488.27584 193.70595 488.27164 193.70076 488.27383 curveto
+193.68585 488.28094 193.65073 488.29663 193.6378 488.30531 curveto
+193.6337 488.30837 193.6102 488.33356 193.60632 488.33679 curveto
+193.60286 488.34036 193.57809 488.36453 193.57484 488.36827 curveto
+193.56633 488.38047 193.55005 488.41759 193.54336 488.43123 curveto
+193.53787 488.44582 193.51561 488.47823 193.51188 488.49419 curveto
+193.50977 488.50514 193.51322 488.54562 193.51188 488.55715 curveto
+193.51138 488.56307 193.51218 488.58257 193.51188 488.58864 curveto
+193.51176 488.59484 193.51181 488.61377 193.51188 488.62012 curveto
+193.55133 489.68436 195.52344 492.01579 196.98507 493.63442 curveto
+198.11161 494.88196 199.05588 495.74966 199.4641 496.28117 curveto
+200.99032 498.26833 199.92829 499.77286 198.95805 501.24392 curveto
+196.69771 504.67103 186.87597 508.58703 174.84376 509.99558 curveto
+168.82766 510.69985 162.16747 510.85383 155.29418 510.31039 curveto
+148.42088 509.76694 141.3411 508.55089 134.4539 506.46973 curveto
+129.77276 505.05519 123.36762 502.49032 121.01159 501.49576 curveto
+118.59219 500.47445 111.3328 496.9662 108.86 495.73478 curveto
+106.40674 494.51307 97.205138 488.81864 96.456568 488.27383 curveto
+95.708011 487.72901 93.793929 487.04007 93.245528 487.10904 curveto
+closepath
+145.31477 519.91203 moveto
+145.08762 519.92558 144.85884 519.97449 144.68516 520.03795 curveto
+144.62825 520.06001 144.54723 520.10508 144.49627 520.1324 curveto
+144.47129 520.14649 144.42532 520.17998 144.40183 520.19536 curveto
+144.37882 520.21116 144.3289 520.24124 144.30738 520.25832 curveto
+144.27936 520.28165 144.23832 520.32722 144.21294 520.35276 curveto
+144.18822 520.37885 144.14057 520.41895 144.1185 520.44721 curveto
+144.10244 520.4688 144.07011 520.51886 144.05554 520.54165 curveto
+144.018 520.60347 143.98803 520.69193 143.9611 520.76201 curveto
+143.92907 520.85087 143.88212 520.97564 143.86665 521.07682 curveto
+143.72995 522.09037 144.42037 523.70688 145.91291 525.61006 curveto
+148.82221 529.31981 148.67488 532.27804 148.7147 535.71539 curveto
+148.75451 539.15273 146.54062 542.83492 143.58333 546.29294 curveto
+140.17607 550.27712 136.32342 553.67963 132.81972 556.40343 curveto
+129.33927 559.10916 122.50159 563.29996 120.31901 564.99254 curveto
+118.16642 566.66187 116.5 567.70151 116.16355 568.64431 curveto
+116.14459 568.70072 116.11146 568.77973 116.10059 568.8332 curveto
+116.09266 568.87733 116.10284 568.94863 116.10059 568.9906 curveto
+116.09991 569.01551 116.0992 569.06095 116.10059 569.08504 curveto
+116.10266 569.10887 116.09644 569.1565 116.10059 569.17948 curveto
+116.10542 569.20218 116.12515 569.25209 116.13207 569.27393 curveto
+116.13715 569.28829 116.15754 569.32293 116.16355 569.33689 curveto
+116.17002 569.35066 116.18762 569.38648 116.19503 569.39985 curveto
+116.21078 569.42617 116.23848 569.46963 116.25799 569.49429 curveto
+116.2631 569.50035 116.28412 569.51982 116.28947 569.52577 curveto
+116.29505 569.53162 116.31513 569.55151 116.32095 569.55725 curveto
+116.32701 569.56289 116.34614 569.58321 116.35244 569.58873 curveto
+116.43087 569.65364 116.55422 569.72925 116.66724 569.77762 curveto
+117.45938 570.09832 119.09193 570.02516 121.60973 569.33689 curveto
+123.57983 568.79833 125.94223 567.986 127.52812 567.38508 curveto
+129.15607 566.76822 136.89885 562.57741 141.15343 559.49123 curveto
+145.37649 556.42793 150.0809 551.72354 152.08314 549.09473 curveto
+154.06782 546.48898 157.24072 542.44032 157.49784 534.29876 curveto
+157.66967 528.85815 156.47393 525.20509 150.63503 521.83236 curveto
+148.21003 520.43161 146.43786 519.84506 145.31477 519.91203 curveto
+closepath
+eofill
+grestore
+gsave [0.2166289 0 0 0.2166289 157.43503 398.54335] concat
+gsave
+0.78039217 1 0 setrgbcolor
+newpath
+437.85283 778.1725 moveto
+400.50577 766.77101 363.70334 753.86167 340.4661 735.22357 curveto
+316.13195 715.70566 310.73658 707.52228 297.0158 688.63019 curveto
+279.81702 664.94922 262.61006 615.92947 261.10962 569.78887 curveto
+259.99549 535.52853 264.71544 507.67861 275.69035 482.33395 curveto
+285.10159 460.60034 304.95909 433.2095 314.27272 434.10383 curveto
+323.95789 435.03384 321.64692 446.91287 315.30881 473.69031 curveto
+307.82383 505.3129 306.8264 513.6481 306.77822 544.97475 curveto
+306.72026 582.71669 310.24458 600.55106 323.02036 638.68039 curveto
+328.30642 654.45657 334.89456 674.05264 353.44179 694.94552 curveto
+368.23369 711.60818 389.06497 727.73017 426.82573 748.62239 curveto
+457.19256 765.42369 465.43744 772.87082 465.88016 777.90325 curveto
+466.08079 780.18441 463.72894 781.8198 459.57002 781.90379 curveto
+453.98684 782.0211 445.89404 780.62736 437.85283 778.1725 curveto
+closepath
+564.41594 507.40009 moveto
+540.07581 501.45242 530.84187 495.46546 513.17501 487.97187 curveto
+457.32468 464.28243 418.03006 446.71512 406.1102 442.49975 curveto
+390.52372 436.9876 341.11479 419.82989 311.72894 413.04788 curveto
+278.45889 405.36942 229.55131 395.93896 210.57371 394.91105 curveto
+193.3049 393.97574 168.72079 396.45157 158.29602 402.33101 curveto
+145.8635 409.34275 147.80065 422.04849 163.72177 448.46513 curveto
+166.55973 453.17394 169.37824 456.2318 168.20643 458.26666 curveto
+167.12117 460.15114 160.90699 458.49682 155.62348 456.01862 curveto
+148.50466 452.6796 138.45645 442.66352 133.01599 434.28336 curveto
+120.31191 414.71465 127.5962 388.59816 150.68101 375.91485 curveto
+167.38592 366.73684 185.7284 364.79548 223.81316 367.93501 curveto
+266.44543 371.44945 306.53553 383.09604 325.4845 388.81503 curveto
+429.59026 420.23508 466.90107 435.19184 508.48256 457.68146 curveto
+527.87392 468.16941 545.26681 480.73953 549.86476 483.51063 curveto
+553.65066 485.79236 567.11904 494.40779 573.09729 500.31695 curveto
+575.48595 502.67793 576.3465 504.73925 575.94296 505.58313 curveto
+575.06628 507.41637 567.23053 508.08783 564.41594 507.40009 curveto
+closepath
+294.84085 364.79203 moveto
+287.16906 361.3543 281.83686 353.87273 278.00193 346.7583 curveto
+275.39659 341.92518 273.80336 334.48832 274.21418 326.33932 curveto
+274.62477 318.19433 275.29466 311.5671 280.25181 301.12762 curveto
+286.88164 287.16541 296.73272 277.17725 309.93597 271.03036 curveto
+318.46774 267.05831 320.08085 266.49218 330.83936 266.46937 curveto
+341.68726 266.44642 344.87931 268.34695 350.89816 271.84411 curveto
+358.41749 276.21308 362.10162 282.37859 364.67539 288.03779 curveto
+367.21546 293.62291 368.55249 297.32745 368.63372 307.43638 curveto
+368.71495 317.6346 365.77579 329.25644 356.36677 343.80427 curveto
+351.74829 350.94524 343.95621 357.97657 332.19803 364.58548 curveto
+323.99925 369.19384 307.21257 370.33584 294.84085 364.79203 curveto
+closepath
+329.95019 345.27305 moveto
+340.87843 335.98337 344.48959 328.48935 345.45017 313.97394 curveto
+346.46152 298.6912 334.44432 288.44024 328.91262 287.86384 curveto
+314.3913 286.35077 301.44418 297.0031 298.44392 316.77921 curveto
+297.80099 321.0171 298.1873 325.04093 299.82156 331.23007 curveto
+301.60166 337.97191 306.01828 345.02174 313.16886 347.14684 curveto
+320.53426 349.33577 326.18936 347.62306 329.95019 345.27305 curveto
+closepath
+fill
+grestore
+grestore
+grestore
+showpage
+%%Trailer
+cleartomark
+countdictstack
+exch sub { end } repeat
+restore
+%%EOF
diff --git a/cacert/www/logos/CAcert-logo-mono.eps b/cacert/www/logos/CAcert-logo-mono.eps
new file mode 100644
index 0000000..dd9c7df
--- /dev/null
+++ b/cacert/www/logos/CAcert-logo-mono.eps
@@ -0,0 +1,438 @@
+%!PS-Adobe-2.0 EPSF-3.0
+%%Title: (Official CAcert Logo)
+%%Copyright: (Copyright 2006-2008 CAcert.org)
+%%BoundingBox: 74 538 484 632
+%%Creator: inkscape 0.45.1
+%%EndComments
+% This image has been generated from the official CAcert master logo.
+% EPSF created by ps2eps 1.64
+%%BeginProlog
+save
+countdictstack
+mark
+newpath
+/showpage {} def
+/setpagedevice {pop} def
+%%EndProlog
+%%Page 1 1
+%%Page: 1 1
+0 842 translate
+0.8 -0.8 scale
+0 0 0 setrgbcolor
+[] 0 setdash
+1 setlinewidth
+0 setlinejoin
+0 setlinecap
+gsave [1 0 0 1 0 0] concat
+gsave
+0 0 0 setrgbcolor
+newpath
+146.50216 268.48933 moveto
+139.22685 268.6703 132.45499 269.96414 126.22091 272.30183 curveto
+119.51776 274.83319 113.89276 278.41131 109.34591 283.05183 curveto
+105.52983 286.94354 102.48142 291.47411 100.12716 296.61433 curveto
+100.46733 296.80263 100.83144 296.99948 101.22091 297.23933 curveto
+106.43013 300.44744 117.25217 306.48933 117.25216 306.48933 curveto
+119.91308 307.73221 122.28951 308.78463 124.50216 309.73933 curveto
+124.76844 308.8019 125.07708 307.88574 125.40841 307.02058 curveto
+127.14275 302.61441 129.39275 299.09879 132.15841 296.42683 curveto
+135.06462 293.66129 138.20524 291.69254 141.62716 290.52058 curveto
+145.04898 289.30192 148.67398 288.67692 152.47091 288.67683 curveto
+155.89271 288.67692 159.09584 289.20817 162.09591 290.23933 curveto
+165.09583 291.27067 167.8927 292.52067 170.47091 294.02058 curveto
+173.00207 295.52066 175.25207 297.03629 177.22091 298.58308 curveto
+179.23644 300.13003 180.90831 301.48941 182.22091 302.61433 curveto
+185.28341 302.61433 lineto
+185.28341 277.20808 lineto
+183.36144 276.27068 181.11145 275.28631 178.53341 274.20808 curveto
+176.00208 273.08319 173.17395 272.06756 170.03341 271.17683 curveto
+167.03333 270.38006 163.75209 269.73944 160.18966 269.27058 curveto
+156.67397 268.75507 152.72085 268.48944 148.31466 268.48933 curveto
+148.19015 268.48934 148.06388 268.48871 147.93966 268.48933 curveto
+147.57284 268.49116 147.2102 268.48205 146.84591 268.48933 curveto
+146.73018 268.49165 146.61765 268.48646 146.50216 268.48933 curveto
+closepath
+232.28341 270.55183 moveto
+227.87716 282.48933 lineto
+227.88296 282.49449 227.90393 282.51519 227.90841 282.52058 curveto
+227.9129 282.52592 227.93381 282.54684 227.93966 282.55183 curveto
+229.06339 283.30712 230.28085 283.40933 231.40841 283.02058 curveto
+232.53596 282.63184 233.60872 281.74181 234.47091 280.30183 curveto
+235.33311 278.86186 235.81923 276.95764 235.59591 275.08308 curveto
+235.37258 273.20853 234.46963 271.77588 233.34591 271.02058 curveto
+233.04742 270.81996 232.74564 270.66259 232.43966 270.55183 curveto
+232.28341 270.55183 lineto
+closepath
+239.72091 270.55183 moveto
+240.10937 271.39977 240.37913 272.36293 240.50216 273.39558 curveto
+240.81711 276.03919 240.15491 278.79217 238.68966 281.23933 curveto
+237.22442 283.6865 234.8369 285.90641 231.87716 286.92683 curveto
+229.79609 287.64432 227.80708 287.63177 226.15841 287.11433 curveto
+225.06466 290.11433 lineto
+233.59663 292.30151 242.06103 295.34001 249.93966 297.80183 curveto
+264.54243 303.13521 268.37958 304.49044 278.50216 311.58308 curveto
+263.34591 270.55183 lineto
+239.72091 270.55183 lineto
+closepath
+223.00216 295.64558 moveto
+193.59591 375.23933 lineto
+220.81466 375.23933 lineto
+226.81466 357.70808 lineto
+224.1799 354.21189 222.28847 350.0339 220.75216 344.77058 curveto
+216.3062 329.53904 216.73533 315.58008 224.59591 305.20808 curveto
+226.71905 302.4066 228.27532 301.19624 229.22091 301.27058 curveto
+229.22361 301.27055 229.24918 301.27069 229.25216 301.27058 curveto
+229.28529 301.27745 229.34276 301.29395 229.37716 301.30183 curveto
+229.37996 301.30178 229.40521 301.30204 229.40841 301.30183 curveto
+229.44269 301.31656 229.50586 301.35083 229.53341 301.36433 curveto
+229.54504 301.37049 229.57985 301.38743 229.59591 301.39558 curveto
+229.61814 301.41008 229.66847 301.44142 229.68966 301.45808 curveto
+229.71629 301.48232 229.7607 301.52821 229.78341 301.55183 curveto
+229.7944 301.56253 229.83503 301.6034 229.84591 301.61433 curveto
+229.85142 301.61968 229.87168 301.64018 229.87716 301.64558 curveto
+230.59676 302.65786 230.44575 305.4999 229.37716 309.58308 curveto
+226.93587 318.91144 226.11386 329.52236 230.15841 342.23933 curveto
+231.72252 347.15723 233.14266 350.85916 235.28341 354.08308 curveto
+266.84591 354.08308 lineto
+274.09591 375.23933 lineto
+302.03341 375.23933 lineto
+280.28341 316.39558 lineto
+278.46135 315.91289 276.46053 315.17267 275.28341 314.58308 curveto
+266.56138 310.91738 258.18148 307.09924 249.65841 303.73933 curveto
+260.31466 334.86433 lineto
+234.59591 334.86433 lineto
+245.78341 302.23933 lineto
+238.70666 299.59462 231.46096 297.32444 223.78341 295.77058 curveto
+223.51512 295.729 223.26991 295.69003 223.00216 295.64558 curveto
+closepath
+99.033408 299.14558 moveto
+98.864128 299.57222 98.693368 299.99224 98.533408 300.42683 curveto
+96.049028 307.1769 94.814658 314.69252 94.814658 322.98933 curveto
+94.814658 331.89563 96.080278 339.75499 98.658408 346.55183 curveto
+101.2834 353.34873 104.98652 359.00498 109.72091 363.55183 curveto
+113.76144 367.43237 118.44254 370.5289 123.81466 372.77058 curveto
+124.25478 372.51807 124.71723 372.27283 125.22091 372.02058 curveto
+132.45238 368.39906 139.97637 362.74074 145.28341 356.30183 curveto
+144.25838 356.07811 143.22278 355.80616 142.18966 355.48933 curveto
+138.67399 354.36435 135.48649 352.50498 132.62716 349.92683 curveto
+129.81462 347.39561 127.47088 343.92686 125.59591 339.52058 curveto
+123.76775 335.11437 122.84588 329.61438 122.84591 323.05183 curveto
+122.8459 320.08674 123.03237 317.34913 123.40841 314.80183 curveto
+120.43747 313.29873 117.53914 311.65455 114.75216 310.02058 curveto
+107.19024 305.58712 106.05177 304.73768 99.689658 299.67683 curveto
+99.463338 299.4968 99.236028 299.31894 99.033408 299.14558 curveto
+closepath
+182.47091 343.23933 moveto
+181.2052 344.36436 179.59582 345.69249 177.62716 347.23933 curveto
+175.65832 348.78624 173.5177 350.25498 171.22091 351.61433 curveto
+168.50208 353.30185 165.54895 354.62998 162.31466 355.61433 curveto
+160.02359 356.32187 157.68534 356.79035 155.34591 356.98933 curveto
+154.92243 357.54073 154.50248 358.10768 154.06466 358.70808 curveto
+148.64347 366.14235 139.97645 371.72633 131.00216 375.14558 curveto
+136.38559 376.55934 142.14737 377.27058 148.25216 377.27058 curveto
+153.50209 377.27058 157.62709 377.00497 160.62716 376.48933 curveto
+163.62708 375.97371 166.83021 375.22372 170.25216 374.23933 curveto
+172.87707 373.48934 175.39269 372.61433 177.78341 371.58308 curveto
+180.17394 370.55183 182.65832 369.44245 185.28341 368.27058 curveto
+185.28341 343.23933 lineto
+182.47091 343.23933 lineto
+closepath
+fill
+grestore
+gsave [190.3115 0 0 182.3379 -18130.202 -61497.108] concat
+gsave
+0 0 0 setrgbcolor
+newpath
+97.097476 339.34192 moveto
+97.060486 339.34192 97.026641 339.33751 96.995942 339.32871 curveto
+96.965494 339.3199 96.938946 339.30631 96.916299 339.28794 curveto
+96.893904 339.26957 96.876541 339.24642 96.864211 339.21849 curveto
+96.851881 339.19056 96.845716 339.15785 96.845716 339.12035 curveto
+96.845716 339.08085 96.852258 339.04675 96.865343 339.01806 curveto
+96.87868 338.98938 96.897175 338.9656 96.920829 338.94672 curveto
+96.943727 338.92886 96.970149 338.91577 97.000094 338.90747 curveto
+97.030038 338.89917 97.061115 338.89501 97.093324 338.89501 curveto
+97.122262 338.89501 97.148935 338.89816 97.173344 338.90445 curveto
+97.197752 338.91074 97.220525 338.91892 97.241663 338.92898 curveto
+97.241663 339.04486 lineto
+97.222413 339.04486 lineto
+97.217128 339.04033 97.210711 339.03505 97.203163 339.02901 curveto
+97.195865 339.02297 97.186806 339.01706 97.175986 339.01127 curveto
+97.165669 339.00573 97.154345 339.0012 97.142015 338.99768 curveto
+97.129685 338.99391 97.115342 338.99202 97.098986 338.99202 curveto
+97.06275 338.99202 97.034819 339.00359 97.015192 339.02674 curveto
+96.995816 339.04964 96.986128 339.08085 96.986128 339.12035 curveto
+96.986128 339.16112 96.996067 339.19207 97.015947 339.21321 curveto
+97.036077 339.23434 97.064512 339.24491 97.101251 339.24491 curveto
+97.118361 339.24491 97.133711 339.24302 97.1473 339.23925 curveto
+97.161139 339.23522 97.172589 339.23057 97.181648 339.22528 curveto
+97.190203 339.22025 97.197752 339.21497 97.204295 339.20943 curveto
+97.210837 339.20389 97.216876 339.19848 97.222413 339.1932 curveto
+97.241663 339.1932 lineto
+97.241663 339.30908 lineto
+97.220273 339.31914 97.197878 339.32707 97.174476 339.33286 curveto
+97.151326 339.3389 97.125659 339.34192 97.097476 339.34192 curveto
+fill
+grestore
+grestore
+gsave [0.9898382 0 0 1.0102662 0 0] concat
+gsave
+0 0 0 setrgbcolor
+newpath
+472.00806 337.33351 moveto
+414.0717 337.33351 lineto
+414.44666 343.52092 416.79036 348.25519 421.10281 351.53636 curveto
+425.46206 354.81756 431.86036 356.45815 440.29775 356.45813 curveto
+445.64133 356.45815 450.82091 355.49723 455.8365 353.57538 curveto
+460.85195 351.65356 464.81281 349.5911 467.71908 347.388 curveto
+470.53152 347.388 lineto
+470.53152 367.70791 lineto
+464.81281 370.00474 459.42229 371.66877 454.35997 372.7 curveto
+449.2975 373.73123 443.69605 374.24684 437.55561 374.24685 curveto
+421.71214 374.24684 409.57176 370.68442 401.13446 363.55956 curveto
+392.69711 356.43471 388.47845 346.28649 388.47845 333.11484 curveto
+388.47845 320.0839 392.46274 309.77162 400.43134 302.17795 curveto
+408.44678 294.53756 419.41531 290.71732 433.33695 290.71724 curveto
+446.18038 290.71732 455.83643 293.97507 462.30512 300.49049 curveto
+468.77366 306.95917 472.00797 316.28711 472.00806 328.47431 curveto
+472.00806 337.33351 lineto
+446.83668 322.49787 moveto
+446.69599 317.20115 445.38352 313.21686 442.89926 310.54498 curveto
+440.41487 307.87322 436.54777 306.53731 431.29792 306.53724 curveto
+426.42298 306.53731 422.41525 307.80291 419.27472 310.33404 curveto
+416.13413 312.8653 414.37635 316.91991 414.00139 322.49787 curveto
+446.83668 322.49787 lineto
+fill
+grestore
+grestore
+gsave [53.91831 0 0 52.52882 -7057.9802 -23241.358] concat
+gsave
+0 0 0 setrgbcolor
+newpath
+140.80005 448.61115 moveto
+140.75777 448.61115 lineto
+140.73751 448.60411 140.70492 448.59882 140.66001 448.5953 curveto
+140.61508 448.59178 140.57765 448.59001 140.5477 448.59001 curveto
+140.47988 448.59001 140.41999 448.59442 140.36802 448.60322 curveto
+140.31605 448.61203 140.26012 448.62701 140.20023 448.64815 curveto
+140.20023 449.64168 lineto
+139.7246 449.64168 lineto
+139.7246 448.15798 lineto
+140.20023 448.15798 lineto
+140.20023 448.37598 lineto
+140.30504 448.28614 140.39621 448.22669 140.47372 448.19762 curveto
+140.55123 448.16767 140.62257 448.1527 140.68775 448.1527 curveto
+140.70448 448.1527 140.72342 448.15314 140.74456 448.15402 curveto
+140.7657 448.1549 140.7842 448.15622 140.80005 448.15798 curveto
+140.80005 448.61115 lineto
+fill
+grestore
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+578.9004 277.62606 moveto
+552.9629 287.68856 lineto
+552.9629 299.53231 lineto
+542.24415 299.53231 lineto
+542.24415 316.21981 lineto
+552.9629 316.21981 lineto
+552.9629 352.09481 lineto
+552.9629 361.47856 555.4177 368.0979 560.3379 371.96981 curveto
+565.30595 375.84223 572.83378 377.78231 582.9629 377.78231 curveto
+587.49711 377.78231 591.35883 377.56703 594.49415 377.15731 curveto
+597.6295 376.79276 600.57143 376.27821 603.36915 375.59481 curveto
+603.36915 358.71981 lineto
+601.2129 358.71981 lineto
+600.34466 359.17523 598.80658 359.67351 596.5879 360.21981 curveto
+594.41702 360.76663 592.65714 361.03283 591.30665 361.03231 curveto
+588.02669 361.03284 585.51185 360.59941 583.7754 359.68856 curveto
+582.0873 358.73201 580.88812 357.43959 580.2129 355.84481 curveto
+579.48927 354.25056 579.10502 352.44306 579.05665 350.43856 curveto
+579.00826 348.43406 578.99415 346.09522 578.99415 343.40731 curveto
+578.99415 316.21981 lineto
+603.36915 316.21981 lineto
+603.36915 299.53231 lineto
+578.99415 299.53231 lineto
+578.99415 277.62606 lineto
+578.9004 277.62606 lineto
+closepath
+fill
+grestore
+0 0 0 setrgbcolor
+[] 0 setdash
+1.5 setlinewidth
+0 setlinejoin
+1 setlinecap
+newpath
+159.22803 294.11165 moveto
+154.63643 294.34566 149.56121 298.13634 149.06098 303.34564 curveto
+148.50913 309.09284 151.28425 312.34192 155.51374 314.57161 curveto
+157.62849 315.68646 160.07274 316.00933 162.53309 315.61035 curveto
+164.99343 315.21137 167.40705 314.01358 169.14322 311.58132 curveto
+169.86466 310.56434 169.62509 309.15507 168.60813 308.43363 curveto
+167.59115 307.71218 166.18188 307.95175 165.46043 308.96874 curveto
+164.34649 310.52928 163.13604 310.95693 161.80911 311.17213 curveto
+160.48219 311.38729 159.00042 311.30037 157.62269 310.57405 curveto
+154.86726 309.12144 153.32623 306.82597 153.49922 303.74857 curveto
+153.67276 300.66165 156.76969 298.67742 159.70016 298.61284 curveto
+162.63064 298.54827 165.44297 299.94742 166.43622 303.83801 curveto
+166.55341 304.69651 167.15415 305.39704 167.97858 305.66366 curveto
+168.80301 305.93028 169.71016 305.72438 170.30788 305.09707 curveto
+170.90558 304.46975 171.08615 303.54691 170.78002 302.73631 curveto
+169.30136 296.94423 164.27508 294.00806 159.57426 294.11165 curveto
+159.46408 294.11408 159.33821 294.10604 159.22803 294.11165 curveto
+closepath
+96.274277 295.52811 moveto
+96.20488 295.53685 96.138525 295.56965 96.08543 295.59105 curveto
+96.069973 295.59786 96.03645 295.61463 96.022476 295.62253 curveto
+96.018138 295.62541 95.995164 295.65103 95.990999 295.65401 curveto
+95.98297 295.66025 95.96689 295.67878 95.959523 295.68549 curveto
+95.952454 295.69243 95.934443 295.70955 95.928045 295.71696 curveto
+95.925143 295.72091 95.899275 295.7444 95.896557 295.74845 curveto
+95.889362 295.7613 95.870842 295.79754 95.865081 295.81141 curveto
+95.863322 295.81614 95.866677 295.83803 95.865081 295.84289 curveto
+95.860778 295.85773 95.836473 295.88999 95.833603 295.90583 curveto
+95.832817 295.91122 95.834252 295.9318 95.833603 295.93731 curveto
+95.78237 296.53887 97.643517 298.48978 98.383224 299.24237 curveto
+99.146246 300.01866 105.44797 305.06164 108.99093 307.45785 curveto
+112.55639 309.86928 120.74808 314.23464 122.84075 315.26411 curveto
+124.91468 316.28434 131.35798 318.97801 135.62036 320.26894 curveto
+142.95348 322.48984 150.48757 323.77254 157.78007 324.32945 curveto
+165.07259 324.88635 172.13558 324.69949 178.52333 323.95172 curveto
+191.29886 322.45614 201.52045 319.09916 206.3174 313.21812 curveto
+208.71588 310.27759 209.9541 305.5196 207.23024 302.54746 curveto
+204.26686 299.31397 197.39663 296.67378 196.96879 296.66128 curveto
+196.94483 296.66115 196.89614 296.65968 196.87435 296.66128 curveto
+196.8603 296.66273 196.82451 296.65909 196.81139 296.66128 curveto
+196.80508 296.66257 196.78601 296.65981 196.77991 296.66128 curveto
+196.77405 296.66293 196.75408 296.69092 196.74844 296.69276 curveto
+196.74302 296.69477 196.72216 296.69057 196.71696 296.69276 curveto
+196.70206 296.69987 196.66695 296.71555 196.65402 296.72424 curveto
+196.64991 296.72729 196.62642 296.75248 196.62254 296.75571 curveto
+196.61907 296.75928 196.59431 296.78345 196.59105 296.78719 curveto
+196.58255 296.79938 196.56628 296.8365 196.55959 296.85013 curveto
+196.55409 296.86472 196.53183 296.89713 196.52811 296.91309 curveto
+196.52599 296.92403 196.52944 296.96451 196.52811 296.97604 curveto
+196.5276 296.98196 196.52841 297.00146 196.52811 297.00752 curveto
+196.52798 297.01372 196.52804 297.03266 196.52811 297.039 curveto
+196.56754 298.1031 198.53941 300.43426 200.00087 302.05267 curveto
+201.12726 303.30005 202.07142 304.16765 202.47957 304.6991 curveto
+204.00561 306.68601 202.94371 308.19034 201.9736 309.66123 curveto
+199.71354 313.08791 189.89303 317.00342 177.86231 318.41179 curveto
+171.84696 319.11597 165.18761 319.26992 158.31518 318.72656 curveto
+151.44275 318.18318 144.36384 316.96728 137.4775 314.88639 curveto
+132.79696 313.47202 126.39261 310.90746 124.03687 309.91303 curveto
+121.61776 308.89185 114.35929 305.38404 111.8868 304.15278 curveto
+109.43384 302.93122 100.23338 297.2375 99.484913 296.69276 curveto
+98.736461 296.148 96.822625 295.45916 96.274277 295.52811 curveto
+closepath
+148.33701 328.32701 moveto
+148.1099 328.34056 147.88114 328.38946 147.70749 328.45291 curveto
+147.65058 328.47497 147.56958 328.52003 147.51862 328.54734 curveto
+147.49365 328.56143 147.44767 328.59492 147.42419 328.6103 curveto
+147.40119 328.6261 147.35126 328.65618 147.32974 328.67325 curveto
+147.30173 328.69658 147.2607 328.74214 147.23532 328.76768 curveto
+147.21061 328.79377 147.16297 328.83386 147.1409 328.86212 curveto
+147.12482 328.88371 147.09252 328.93375 147.07795 328.95654 curveto
+147.04041 329.01836 147.01043 329.10681 146.98352 329.17688 curveto
+146.95149 329.26573 146.90454 329.39048 146.88908 329.49164 curveto
+146.75239 330.50507 147.44272 332.12138 148.93508 334.02433 curveto
+151.84401 337.7336 151.69671 340.69147 151.73652 344.12839 curveto
+151.77632 347.5653 149.56272 351.24702 146.60578 354.70462 curveto
+143.19895 358.68831 139.34678 362.09038 135.84353 364.81385 curveto
+132.36351 367.51924 125.52668 371.70952 123.34438 373.40188 curveto
+121.19205 375.07101 119.52584 376.11052 119.18944 377.0532 curveto
+119.17048 377.10959 119.13735 377.18861 119.12648 377.24207 curveto
+119.11856 377.2862 119.12874 377.35748 119.12648 377.39944 curveto
+119.12581 377.42436 119.12508 377.46979 119.12648 377.49387 curveto
+119.12855 377.51771 119.12234 377.56533 119.12648 377.5883 curveto
+119.13132 377.611 119.15104 377.66091 119.15796 377.68274 curveto
+119.16303 377.6971 119.18343 377.73173 119.18944 377.74569 curveto
+119.1959 377.75947 119.2135 377.79528 119.22091 377.80864 curveto
+119.23665 377.83495 119.26436 377.87842 119.28387 377.90307 curveto
+119.28898 377.90913 119.30998 377.9286 119.31534 377.93455 curveto
+119.32091 377.94041 119.34099 377.96029 119.34682 377.96603 curveto
+119.35289 377.97167 119.37199 377.99198 119.37831 377.9975 curveto
+119.45673 378.06239 119.58005 378.138 119.69307 378.18638 curveto
+120.4851 378.50702 122.11746 378.43389 124.63494 377.74569 curveto
+126.60479 377.2072 128.96689 376.39496 130.55259 375.79412 curveto
+132.18032 375.17734 139.92214 370.98706 144.1762 367.90127 curveto
+148.39873 364.83835 153.10254 360.13455 155.10455 357.50606 curveto
+157.08897 354.90063 160.26147 350.85248 160.51855 342.71194 curveto
+160.69037 337.27201 159.49478 333.6194 153.65661 330.24709 curveto
+151.23191 328.84652 149.45996 328.26004 148.33701 328.32701 curveto
+closepath
+stroke
+gsave [0.2166019 0 0 0.2166019 160.45576 206.97348] concat
+0 0 0 setrgbcolor
+[] 0 setdash
+6.9666977 setlinewidth
+0 setlinejoin
+0 setlinecap
+newpath
+437.85283 778.1725 moveto
+400.50577 766.77101 363.70334 753.86167 340.4661 735.22357 curveto
+316.13195 715.70566 310.73658 707.52228 297.0158 688.63019 curveto
+279.81702 664.94922 262.61006 615.92947 261.10962 569.78887 curveto
+259.99549 535.52853 264.71544 507.67861 275.69035 482.33395 curveto
+285.10159 460.60034 304.95909 433.2095 314.27272 434.10383 curveto
+323.95789 435.03384 321.64692 446.91287 315.30881 473.69031 curveto
+307.82383 505.3129 306.8264 513.6481 306.77822 544.97475 curveto
+306.72026 582.71669 310.24458 600.55106 323.02036 638.68039 curveto
+328.30642 654.45657 334.89456 674.05264 353.44179 694.94552 curveto
+368.23369 711.60818 389.06497 727.73017 426.82573 748.62239 curveto
+457.19256 765.42369 465.43744 772.87082 465.88016 777.90325 curveto
+466.08079 780.18441 463.72894 781.8198 459.57002 781.90379 curveto
+453.98684 782.0211 445.89404 780.62736 437.85283 778.1725 curveto
+closepath
+564.41594 507.40009 moveto
+540.07581 501.45242 530.84187 495.46546 513.17501 487.97187 curveto
+457.32468 464.28243 418.03006 446.71512 406.1102 442.49975 curveto
+390.52372 436.9876 341.11479 419.82989 311.72894 413.04788 curveto
+278.45889 405.36942 229.55131 395.93896 210.57371 394.91105 curveto
+193.3049 393.97574 168.72079 396.45157 158.29602 402.33101 curveto
+145.8635 409.34275 147.80065 422.04849 163.72177 448.46513 curveto
+166.55973 453.17394 169.37824 456.2318 168.20643 458.26666 curveto
+167.12117 460.15114 160.90699 458.49682 155.62348 456.01862 curveto
+148.50466 452.6796 138.45645 442.66352 133.01599 434.28336 curveto
+120.31191 414.71465 127.5962 388.59816 150.68101 375.91485 curveto
+167.38592 366.73684 185.7284 364.79548 223.81316 367.93501 curveto
+266.44543 371.44945 306.53553 383.09604 325.4845 388.81503 curveto
+429.59026 420.23508 466.90107 435.19184 508.48256 457.68146 curveto
+527.87392 468.16941 545.26681 480.73953 549.86476 483.51063 curveto
+553.65066 485.79236 567.11904 494.40779 573.09729 500.31695 curveto
+575.48595 502.67793 576.3465 504.73925 575.94296 505.58313 curveto
+575.06628 507.41637 567.23053 508.08783 564.41594 507.40009 curveto
+closepath
+294.84085 364.79203 moveto
+287.16906 361.3543 281.83686 353.87273 278.00193 346.7583 curveto
+275.39659 341.92518 273.80336 334.48832 274.21418 326.33932 curveto
+274.62477 318.19433 275.29466 311.5671 280.25181 301.12762 curveto
+286.88164 287.16541 296.73272 277.17725 309.93597 271.03036 curveto
+318.46774 267.05831 320.08085 266.49218 330.83936 266.46937 curveto
+341.68726 266.44642 344.87931 268.34695 350.89816 271.84411 curveto
+358.41749 276.21308 362.10162 282.37859 364.67539 288.03779 curveto
+367.21546 293.62291 368.55249 297.32745 368.63372 307.43638 curveto
+368.71495 317.6346 365.77579 329.25644 356.36677 343.80427 curveto
+351.74829 350.94524 343.95621 357.97657 332.19803 364.58548 curveto
+323.99925 369.19384 307.21257 370.33584 294.84085 364.79203 curveto
+closepath
+329.95019 345.27305 moveto
+340.87843 335.98337 344.48959 328.48935 345.45017 313.97394 curveto
+346.46152 298.6912 334.44432 288.44024 328.91262 287.86384 curveto
+314.3913 286.35077 301.44418 297.0031 298.44392 316.77921 curveto
+297.80099 321.0171 298.1873 325.04093 299.82156 331.23007 curveto
+301.60166 337.97191 306.01828 345.02174 313.16886 347.14684 curveto
+320.53426 349.33577 326.18936 347.62306 329.95019 345.27305 curveto
+closepath
+stroke
+grestore
+grestore
+showpage
+%%Trailer
+cleartomark
+countdictstack
+exch sub { end } repeat
+restore
+%%EOF
diff --git a/cacert/www/logos/CVS/Entries b/cacert/www/logos/CVS/Entries
new file mode 100644
index 0000000..9569cf1
--- /dev/null
+++ b/cacert/www/logos/CVS/Entries
@@ -0,0 +1,18 @@
+/animated.gif/1.1/Fri May 13 15:41:53 2005//
+/cacert-free-certificates2.png/1.1/Fri May 13 15:41:53 2005//
+/cacert-free-certificates3.png/1.1/Fri May 13 15:41:53 2005//
+/cacert-free-certificates4.png/1.1/Fri May 13 15:41:53 2005//
+/cacert-grey.png/1.1/Fri May 13 15:41:53 2005//
+/cacert-grey2.png/1.1/Fri May 13 15:41:53 2005//
+/cacert-secure-site.png/1.1/Fri May 13 15:41:53 2005//
+/cacert-secure-site2.png/1.1/Fri May 13 15:41:53 2005//
+/cacert-secured3.png/1.1/Fri May 13 15:41:53 2005//
+/cacert-secured4.png/1.1/Fri May 13 15:41:53 2005//
+/cacert-secured5.png/1.1/Fri May 13 15:41:53 2005//
+/cacert-secured7.png/1.1/Fri May 13 15:41:53 2005//
+/cacert1.png/1.1/Fri May 13 15:41:53 2005//
+/small-ssl-secured-site.png/1.1/Fri May 13 15:41:53 2005//
+/small-ssl-security.png/1.1/Fri May 13 15:41:53 2005//
+/CAcert-logo-colour.eps/1.1/Fri Nov 14 23:39:23 2008//
+/CAcert-logo-mono.eps/1.1/Fri Nov 14 23:39:23 2008//
+D
diff --git a/cacert/www/logos/CVS/Repository b/cacert/www/logos/CVS/Repository
new file mode 100644
index 0000000..9e025dd
--- /dev/null
+++ b/cacert/www/logos/CVS/Repository
@@ -0,0 +1 @@
+cacert/www/logos
diff --git a/cacert/www/logos/CVS/Root b/cacert/www/logos/CVS/Root
new file mode 100644
index 0000000..a363882
--- /dev/null
+++ b/cacert/www/logos/CVS/Root
@@ -0,0 +1 @@
+/var/lib/cvs
diff --git a/cacert/www/logos/animated.gif b/cacert/www/logos/animated.gif
new file mode 100644
index 0000000..34ccff1
--- /dev/null
+++ b/cacert/www/logos/animated.gif
diff --git a/cacert/www/logos/cacert-free-certificates2.png b/cacert/www/logos/cacert-free-certificates2.png
new file mode 100644
index 0000000..91e5571
--- /dev/null
+++ b/cacert/www/logos/cacert-free-certificates2.png
diff --git a/cacert/www/logos/cacert-free-certificates3.png b/cacert/www/logos/cacert-free-certificates3.png
new file mode 100644
index 0000000..d09ce11
--- /dev/null
+++ b/cacert/www/logos/cacert-free-certificates3.png
diff --git a/cacert/www/logos/cacert-free-certificates4.png b/cacert/www/logos/cacert-free-certificates4.png
new file mode 100644
index 0000000..c153677
--- /dev/null
+++ b/cacert/www/logos/cacert-free-certificates4.png
diff --git a/cacert/www/logos/cacert-grey.png b/cacert/www/logos/cacert-grey.png
new file mode 100644
index 0000000..1c56e42
--- /dev/null
+++ b/cacert/www/logos/cacert-grey.png
diff --git a/cacert/www/logos/cacert-grey2.png b/cacert/www/logos/cacert-grey2.png
new file mode 100644
index 0000000..33cd1dd
--- /dev/null
+++ b/cacert/www/logos/cacert-grey2.png
diff --git a/cacert/www/logos/cacert-secure-site.png b/cacert/www/logos/cacert-secure-site.png
new file mode 100644
index 0000000..6dd6272
--- /dev/null
+++ b/cacert/www/logos/cacert-secure-site.png
diff --git a/cacert/www/logos/cacert-secure-site2.png b/cacert/www/logos/cacert-secure-site2.png
new file mode 100644
index 0000000..a25a690
--- /dev/null
+++ b/cacert/www/logos/cacert-secure-site2.png
diff --git a/cacert/www/logos/cacert-secured3.png b/cacert/www/logos/cacert-secured3.png
new file mode 100644
index 0000000..23b5abe
--- /dev/null
+++ b/cacert/www/logos/cacert-secured3.png
diff --git a/cacert/www/logos/cacert-secured4.png b/cacert/www/logos/cacert-secured4.png
new file mode 100644
index 0000000..6ab4591
--- /dev/null
+++ b/cacert/www/logos/cacert-secured4.png
diff --git a/cacert/www/logos/cacert-secured5.png b/cacert/www/logos/cacert-secured5.png
new file mode 100644
index 0000000..cd329a6
--- /dev/null
+++ b/cacert/www/logos/cacert-secured5.png
diff --git a/cacert/www/logos/cacert-secured7.png b/cacert/www/logos/cacert-secured7.png
new file mode 100644
index 0000000..bd947fc
--- /dev/null
+++ b/cacert/www/logos/cacert-secured7.png
diff --git a/cacert/www/logos/cacert1.png b/cacert/www/logos/cacert1.png
new file mode 100644
index 0000000..7389a85
--- /dev/null
+++ b/cacert/www/logos/cacert1.png
diff --git a/cacert/www/logos/small-ssl-secured-site.png b/cacert/www/logos/small-ssl-secured-site.png
new file mode 100644
index 0000000..293aa70
--- /dev/null
+++ b/cacert/www/logos/small-ssl-secured-site.png
diff --git a/cacert/www/logos/small-ssl-security.png b/cacert/www/logos/small-ssl-security.png
new file mode 100644
index 0000000..20532c8
--- /dev/null
+++ b/cacert/www/logos/small-ssl-security.png
diff --git a/cacert/www/news.php b/cacert/www/news.php
new file mode 100644
index 0000000..f355b4b
--- /dev/null
+++ b/cacert/www/news.php
@@ -0,0 +1,48 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/ ?>
+<?
+	loadem("index");
+
+	$id = intval($id);
+
+	showheader(_("Welcome to CAcert.org"));
+
+	if($id > 0)
+	{
+		$query = "select * from `news` where `id`='$id'";
+		$row = mysql_fetch_assoc(mysql_query($query));
+
+		echo "<h3>".$row['short']."</h3>\n";
+		echo "<p>Posted by ".$row['who']." at ".$row['when']."</p>\n";
+
+		echo "<p>".str_replace("\n", "<br>\n", $row['story'])."</p>\n";
+	} else {
+		$query = "select *, UNIX_TIMESTAMP(`when`) as `TS` from news order by `when` desc";
+		$res = mysql_query($query);
+		while($row = mysql_fetch_assoc($res))
+		{
+			echo "<p><b>".date("Y-m-d", $row['TS'])."</b> - ".$row['short']."</p>\n";
+			if($row['story'] != "")
+				echo "<p>[ <a href='news.php?id=".$row['id']."'>"._("Full Story")."</a> ]</p>\n";
+		}
+	}
+
+	echo "<p>[ <a href='javascript:history.go(-1)'>"._("Go Back")."</a> ]</p>\n";
+
+	showfooter();
+?>
diff --git a/cacert/www/policy/AssurancePolicy.php b/cacert/www/policy/AssurancePolicy.php
new file mode 100644
index 0000000..37a0760
--- /dev/null
+++ b/cacert/www/policy/AssurancePolicy.php
@@ -0,0 +1,723 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<html><head>
+<title>Assurance Policy</title>
+
+<meta name="CREATED" content="20080530;0">
+<meta name="CHANGEDBY" content="Teus Hagen">
+<meta name="CHANGED" content="20080709;12381800">
+<meta name="CREATEDBY" content="Ian Grigg">
+<meta name="CHANGEDBY" content="Teus Hagen">
+<meta name="CHANGEDBY" content="Robert Cruikshank">
+<meta name="CHANGEDBY" content="Teus Hagen">
+<style type="text/css">
+<!--
+P { color: #000000 }
+TD P { color: #000000 }
+H1 { color: #000000 }
+H2 { color: #000000 }
+DT { color: #000000 }
+DD { color: #000000 }
+H3 { color: #000000 }
+TH P { color: #000000 }
+-->
+</style></head>
+<body style="direction: ltr; color: rgb(0, 0, 0);" lang="en-GB">
+<h1>Assurance Policy for CAcert Community Members</h1>
+<p><a href="PolicyOnPolicy.php"><img src="/images/cacert-policy.png" id="graphics1" alt="CAcert Policy Status == POLICY" align="bottom" border="0" height="33" width="90"></a>
+<br>
+Editor: Teus Hagen<br>
+Creation date: 2008-05-30<br>
+Last change by: Iang<br>
+Last change date: 2009-01-08<br>
+Status: POLICY p20090105.2
+</p>
+
+<h2><a name="0">0.</a> Preamble</h2>
+<h3><a name="0.1">0.1.</a> Definition of Terms</h3>
+<dl>
+<dt><i>Member</i> </dt>
+<dd> A Member is an individual who has agreed to the CAcert
+Community Agreement
+(<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php" target="_blank">CCA</a>)
+and has created successfully
+a CAcert login account on the CAcert web site. </dd>
+<dt> <i>Assurance</i> </dt>
+<dd> Assurance is the process by which a Member of CAcert
+Community (Assurer) identifies an individual (<span lang="en-US">Assuree</span>).
+</dd>
+<dt> <i>Prospective Member</i> </dt>
+<dd> An individual who participates in the process of Assurance,
+but has not yet created a CAcert login account. </dd>
+<dt> <i>Name</i> </dt>
+<dd> A Name is the full name of an individual.
+</dd>
+<dt> <i>Secondary Distinguishing Feature</i>
+</dt>
+<dd> An additional personal data item of the Member
+that assists discrimination from Members with similar full names.
+(Currently this is the Date of Birth (DoB).)
+</dd>
+</dl>
+
+<h3><a name="0.2">0.2.</a> The CAcert Web of Trust</h3>
+<p>
+In face-to-face meetings,
+an Assurer allocates a number of Assurance Points
+to the Member being Assured.
+CAcert combines the Assurance Points
+into a global <i>Web-of-Trust</i> (or "WoT").
+</p>
+<p>
+CAcert explicitly chooses to meet its various goals by
+construction of a Web-of-Trust of all Members.
+</p>
+
+<h3><a name="0.3">0.3.</a> Related Documentation</h3>
+<p>
+Documentation on Assurance is split between this
+Assurance Policy (AP) and the
+<a href="http://wiki.cacert.org/wiki/AssuranceHandbook2" target="_blank">Assurance
+Handbook</a>. The policy is controlled by Configuration Control
+Specification
+(<a href="http://wiki.cacert.org/wiki/PolicyDrafts/ConfigurationControlSpecification" target="_blank">CCS</a>)
+under Policy on Policy
+(<a href="http://www.cacert.org/policy/PolicyOnPolicy.php" target="_blank">PoP</a>)
+policy document regime.  Because Assurance is an active area, much
+of the practice is handed over to the Assurance Handbook, which is
+not a controlled policy document, and can more easily respond to
+experience and circumstances. It is also more readable.
+</p>
+<p>
+See also Organisation Assurance Policy (<a href="http://www.cacert.org/policy/OrganisationAssurancePolicy.php" target="_blank">OAP</a>)
+and CAcert Policy Statement (<a href="http://svn.cacert.org/CAcert/policy.htm" target="_blank">CPS</a>).
+</p>
+
+<h2><a name="1">1.</a> Assurance Purpose</h2>
+<p>The purpose of Assurance is to add confidence
+in the Assurance Statement made by the CAcert Community of a Member. </p>
+<p>With sufficient assurances, a Member may: (a) issue certificates
+with their assured Name included, (b) participate in assuring others,
+and (c) other related activities. The strength of these activities is
+based on the strength of the assurance. </p>
+
+<h3><a name="1.1">1.1.</a>The Assurance Statement</h3>
+<p>
+The Assurance Statement makes the following claims
+about a person:
+</p>
+<ol>
+<li>
+<p>The person is a bona fide Member. In other words, the
+person is a member of the CAcert Community as defined by the CAcert
+Community Agreement (<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php" target="_blank">CCA</a>); </p>
+</li>
+<li>
+<p>The Member has a (login) account with CAcert's on-line
+registration and service system; </p>
+</li>
+<li>
+<p>The Member can be determined from any CAcert certificate
+issued by the Account; </p>
+</li>
+<li>
+<p>The Member is bound into CAcert's Arbitration as defined
+by the CAcert Community Agreement; </p>
+</li>
+<li>
+<p>Some personal details of the Member are known to CAcert:
+the individual Name(s), primary and other listed individual email
+address(es), secondary distinguishing feature (e.g. DoB). </p>
+</li>
+</ol>
+<p>The confidence level of the Assurance Statement is expressed by
+the Assurance Points. </p>
+<h3><a name="1.2">1.2.</a>Relying Party Statement</h3>
+<p>The primary goal of the Assurance Statement is for the express
+purpose of certificates to meet the needs of the <i>Relying Party
+Statement</i>, which latter is found in the Certification Practice
+Statement (<a href="http://svn.cacert.org/CAcert/policy.htm" target="_blank">CPS</a>).
+</p>
+<p>When a certificate is issued, some of the Assurance Statement may
+be incorporated, e.g. Name. Other parts may be implied, e.g.
+Membership, exact account and status. They all are part of the
+<i>Relying Party Statement</i>. In short, this means that other
+Members of the Community may rely on the information verified by
+Assurance and found in the certificate.</p>
+<p>In particular, certificates are sometimes considered to provide
+reliable indications of e.g. the Member's Name and email address. The
+nature of Assurance, the number of Assurance Points, and other
+policies and processes should be understood as limitations on any
+reliance. </p>
+<h2><a name="2">2.</a> The Member</h2>
+<h3><a name="2.1">2.1.</a> The Member's Name </h3>
+<p>
+At least one individual Name is recorded in the Member's
+CAcert login account.  The general standard of a Name is:
+</p>
+<ul>
+<li>
+<p>
+The Name should be recorded as written in a
+government-issued photo identity document (ID).
+</p>
+</li>
+<li>
+<p>
+The Name should be recorded as completely as possible.
+That is, including all middle names, any titles and extensions,
+without abbreviations, and without transliteration of characters.
+</p>
+</li>
+<li>
+<p>The Name is recorded as a string of characters,
+encoded in <span lang="en-US">unicode</span>
+transformation format.</p>
+</li>
+</ul>
+<h3><a name="2.2">2.2.</a> Multiple Names and variations</h3>
+<p>
+In order to handle the contradictions in the above general standard,
+a Member may record multiple Names or multiple variations of a Name
+in her CAcert online Account.
+Examples of variations include married names,
+variations of initials of first or middle names,
+abbreviations of a first name,
+different language or country variations,
+and transliterations of characters in a name.
+</p>
+
+<h3><a name="2.3">2.3.</a> Status and Capabilities</h3>
+<p>
+A Name which has reached
+the level of 50 Assurance Points is defined as an Assured
+Name. An Assured Name can be used in a certificate issued by CAcert.
+A Member with at least one Assured Name has reached the Assured
+Member status.
+Additional capabilities are described in Table 1.
+</p>
+
+<blockquote>
+<p align="left"><font size="2"><i>Table 1:
+Assurance Capability</i></font></p>
+<table border="1" cellpadding="5" cellspacing="0">
+<tbody>
+<tr>
+<td width="10%">
+<p align="left"><i>Minimum Assurance Points</i></p>
+</td>
+<td width="15%">
+<p align="left"><i>Capability</i></p>
+</td>
+<td width="15%">
+<p align="left"><i>Status</i></p>
+</td>
+<td width="60%">
+<p align="left"><i>Comment</i></p>
+</td>
+</tr>
+<tr valign="top">
+<td>
+<p align="center">0</p>
+</td>
+<td>
+<p align="left">Request Assurance</p>
+</td>
+<td>
+<p align="left">Prospective Member</p>
+</td>
+<td>
+<p align="left">Individual taking part of an
+Assurance, who does not have created a CAcert login account (yet). The
+allocation of Assurance Points is awaiting login account creation.</p>
+</td>
+</tr>
+<tr valign="top">
+<td>
+<p align="center">0</p>
+</td>
+<td>
+<p align="left">Request unnamed certificates</p>
+</td>
+<td>
+<p align="left">Member</p>
+</td>
+<td>
+<p align="left">Although the Member's details are
+recorded in the account, they are not highly assured.</p>
+</td>
+</tr>
+<tr valign="top">
+<td>
+<p align="center">50</p>
+</td>
+<td>
+<p align="left">Request named certificates</p>
+</td>
+<td>
+<p align="left">Assured Member</p>
+</td>
+<td>
+<p align="left">Statements of Assurance: the Name is
+assured to 50 Assurance Points or more</p>
+</td>
+</tr>
+<tr valign="top">
+<td>
+<p align="center">100</p>
+</td>
+<td>
+<p align="left">Become an Assurer</p>
+</td>
+<td>
+<p align="left">Prospective Assurer</p>
+</td>
+<td>
+<p align="left">Assured to 100 Assurance Points (or
+more) on at least one Name, and passing the Assurer Challenge.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</blockquote>
+
+
+<p>
+A Member may check the status of another Member, especially
+for an assurance process.
+Status may be implied from information in a certificate.
+The number of Assurance Points for each Member is not published.
+</p>
+
+<p>
+The CAcert Policy Statement
+(<a href="http://svn.cacert.org/CAcert/policy.htm" target="_blank">CPS</a>)
+and other policies may list other capabilities that rely on Assurance
+Points.
+</p>
+
+<h2><a name="3">3.</a> The Assurer</h2>
+<p>An Assurer is a Member with the following: </p>
+<ul>
+<li>
+<p>Is assured to a minimum of 100 Assurance Points; </p>
+</li>
+<li>
+<p>Has passed the CAcert Assurer Challenge. </p>
+</li>
+</ul>
+<p>The Assurer Challenge is administered by the Education Team on
+behalf of the Assurance Officer. </p>
+<h3><a name="3.1">3.1.</a> The Obligations of the Assurer</h3>
+<p>The Assurer is obliged to: </p>
+<ul>
+<li>
+<p>Follow this Assurance Policy; </p>
+</li>
+<li>
+<p>Follow any additional rules of detail laid out by the
+CAcert Assurance Officer; </p>
+</li>
+<li>
+<p>Be guided by the CAcert <a href="http://wiki.cacert.org/wiki/AssuranceHandbook2" target="_blank">Assurance Handbook</a> in their
+judgement; </p>
+</li>
+<li>
+<p>Make a good faith effort at identifying and verifying
+Members; </p>
+</li>
+<li>
+<p>Maintain the documentation on each Assurance; </p>
+</li>
+<li>
+<p>Deliver documentation to Arbitration, or as otherwise
+directed by the Arbitrator; </p>
+</li>
+<li>
+<p>Keep up-to-date with developments within the CAcert
+Community. </p>
+</li>
+</ul>
+<h2><a name="4">4.</a> The Assurance</h2>
+<h3><a name="4.1">4.1.</a> The Assurance Process</h3>
+<p>The Assurer conducts the process of Assurance with each
+Member. </p>
+<p>The process consists of: </p>
+<ol>
+<li>
+<p>Voluntary agreement by both Assurer and Member or
+Prospective Member to conduct the Assurance; </p>
+</li>
+<li>
+<p>Personal meeting of Assurer and Member or Prospective
+Member; </p>
+</li>
+<li>
+<p>Recording of essential details on CAcert Assurance
+Programme form; </p>
+</li>
+<li>
+<p>Examination of Identity documents by Assurer and
+verification of recorded details (the Name(s) and Secondary
+Distinguishing Feature, e.g., DoB); </p>
+</li>
+<li>
+<p>Allocation of Assurance Points by Assurer; </p>
+</li>
+<li>
+<p>Optional: supervision of reciprocal Assurance made by
+Assuree (Mutual Assurance); </p>
+</li>
+<li>
+<p>Safekeeping of the CAcert Assurance Programme (<a href="http://www.cacert.org/cap.php" target="_blank">CAP</a>)
+forms by Assurer. </p>
+</li>
+</ol>
+<h3><a name="4.2">4.2.</a> Mutual Assurance</h3>
+<p>Mutual Assurance follows the principle of reciprocity. This
+means
+that the Assurance may be two-way, and that each member participating
+in the Assurance procedure should be able to show evidence of their
+identity to the other. </p>
+<p>In the event that an Assurer is assured by a Member who is not
+certified as an Assurer, the Assurer supervises the Assurance
+procedure and process, and is responsible for the results. </p>
+<p>Reciprocity maintains a balance between the (new) member and
+the
+Assurer, and reduces any sense of power. It is also an important aid
+to the assurance training for future Assurers. </p>
+
+<h3><a name="4.3">4.3.</a> Assurance Points</h3>
+<p>The Assurance applies Assurance Points to each Member which
+measure the increase of confidence in the Statement (above).
+Assurance Points should not be interpreted for any other purpose.
+Note that, even though they are sometimes referred to as <i>Web-of-Trust</i>
+(Assurance) Points, or <i>Trust</i> Points, the meaning
+of the word
+'Trust' is not well defined. </p>
+<p><i>Assurance Points Allocation</i><br>
+An Assurer can allocate a
+number of Assurance Points to the Member according to the Assurer's
+experience (Experience Point system, see below). The allocation of
+the maximum means that the Assurer is 100% confident in the
+information presented: </p>
+<ul>
+<li>
+<p>Detail on form, system, documents, person in accordance; </p>
+</li>
+<li>
+<p>Sufficient quality identity documents have been checked; </p>
+</li>
+<li>
+<p>Assurer's familiarity with identity documents; </p>
+</li>
+<li>
+<p>The Assurance Statement is confirmed. </p>
+</li>
+</ul>
+<p>
+Any lesser confidence should result in less Assurance Points for a
+Name. If the Assurer has no confidence in the information presented,
+then <i>zero</i> Assurance Points may be allocated by the Assurer.
+For example, this may happen if the identity documents are totally
+unfamiliar to the Assurer. The number of Assurance Points from <i>zero</i>
+to <i>maximum</i> is guided by the Assurance Handbook
+and the judgement of the Assurer.
+If there is negative confidence the Assurer should consider
+filing a dispute.
+</p>
+<p>Multiple Names should be allocated Assurance Points
+independently within a single Assurance. </p>
+<p>
+A Member who is not an Assurer may award an Assurer in a
+reciprocal process a maximum of 2 Assurance Points, according to
+her judgement. The Assurer should strive to have the Member allocate
+according to the Member's judgement, and stay on the cautious side;
+the Member new to the assurance process
+should allocate <i>zero</i> Assurance Points
+until she gains some confidence in what is happening.
+</p>
+<p>
+In general, for a Member to reach 50 Assurance Points, the Member must
+have participated in at least two assurances, and
+at least one Name will have been assured to that level.
+</p>
+<p>
+To reach 100 Assurance
+Points, at least one Name of the Assured Member must have been
+assured at least three times.
+</p>
+<p>
+The maximum number of Assurance
+Points which can be allocated for an Assurance under this policy
+and under any act under any
+Subsidiary Policy (below) is 50 Assurance Points.
+</p>
+
+<h3><a name="4.4">4.4.</a> Experience Points</h3>
+<p>The maximum number of Assurance Points that may be awarded by
+an
+Assurer is determined by the Experience Points of the Assurer. </p>
+<blockquote>
+<p align="left"><font size="2"><i>Table 2:
+Maximum of Assurance Points </i></font>
+</p>
+<table border="1" cellpadding="2" cellspacing="0" width="15%">
+<tbody>
+<tr>
+<td>
+<p><i>Assurer's Experience Points</i></p>
+</td>
+<td>
+<p><i>Allocatable Assurance Points</i></p>
+</td>
+</tr>
+<tr>
+<td>
+<p align="center">0</p>
+</td>
+<td>
+<p align="center">10</p>
+</td>
+</tr>
+<tr>
+<td>
+<p align="center">10</p>
+</td>
+<td>
+<p align="center">15</p>
+</td>
+</tr>
+<tr>
+<td>
+<p align="center">20</p>
+</td>
+<td>
+<p align="center">20</p>
+</td>
+</tr>
+<tr>
+<td>
+<p align="center">30</p>
+</td>
+<td>
+<p align="center">25</p>
+</td>
+</tr>
+<tr>
+<td>
+<p align="center">40</p>
+</td>
+<td>
+<p align="center">30</p>
+</td>
+</tr>
+<tr>
+<td>
+<p align="center">&gt;=50</p>
+</td>
+<td>
+<p align="center">35</p>
+</td>
+</tr>
+</tbody>
+</table>
+</blockquote>
+<p>An Assurer is given a maximum of 2 Experience Points for every
+completed Assurance. On reaching Assurer status, the Experience
+Points start at 0 (zero). </p>
+<p>Less Experience Points (1) may be given for mass Assurance
+events,
+where each Assurance is quicker. </p>
+<p>Additional Experience Points may be granted temporarily or
+permanently to an Assurer by CAcert Inc.'s Committee (board), on
+recommendation from the Assurance Officer. </p>
+<p>Experience Points are not to be confused with Assurance
+Points. </p>
+<h3><a name="4.5">4.5.</a> CAcert Assurance Programme (CAP) form</h3>
+<p>The CAcert Assurance Programme (<a href="http://www.cacert.org/cap.php" target="_blank">CAP</a>)
+form requests the following details of each Member or Prospective
+Member: </p>
+<ul>
+<li>
+<p>Name(s), as recorded in the on-line account; </p>
+</li>
+<li>
+<p>Primary email address, as recorded in the on-line account;
+</p>
+</li>
+<li>
+<p>Secondary Distinguishing Feature, as recorded in the
+on-line account (normally, date of birth); </p>
+</li>
+<li>
+<p>Statement of agreement with the CAcert Community
+Agreement; </p>
+</li>
+<li>
+<p>Permission to the Assurer to conduct the Assurance
+(required for privacy reasons); </p>
+</li>
+<li>
+<p>Date and signature of the Assuree. </p>
+</li>
+</ul>
+<p>The CAP form requests the following details of the Assurer: </p>
+<ul>
+<li>
+<p>At least one Name as recorded in the on-line account of
+the Assurer; </p>
+</li>
+<li>
+<p>Assurance Points for each Name in the identity
+document(s); </p>
+</li>
+<li>
+<p>Statement of Assurance; </p>
+</li>
+<li>
+<p>Optional: If the Assurance is reciprocal, then the
+Assurer's email address and Secondary Distinguishing Feature are
+required as well; </p>
+</li>
+<li>
+<p>Date, location of Assurance and signature of Assurer. </p>
+</li>
+</ul>
+<p>The CAP forms are to be kept at least for 7 years by the
+Assurer. </p>
+<h2><a name="5">5.</a> The Assurance Officer</h2>
+<p>The Committee (board) of CAcert Inc. appoints an Assurance
+Officer
+with the following responsibilities: </p>
+<ul>
+<li>
+<p>Reporting to the Committee and advising on all matters to
+do with Assurance; </p>
+</li>
+<li>
+<p>Training and testing of Assurers, in association with the
+Education Team; </p>
+</li>
+<li>
+<p>Updating this Assurance Policy, under the process
+established by Policy on Policy (<a href="https://www.cacert.org/policy/PolicyOnPolicy.php" target="_blank">PoP</a>); </p>
+</li>
+<li>
+<p>Management of all Subsidiary Policies (see below) for
+Assurances, under Policy on Policy; </p>
+</li>
+<li>
+<p>Managing and creating rules of detail or procedure where
+inappropriate for policies; </p>
+</li>
+<li>
+<p>Incorporating rulings from Arbitration into policies,
+procedures or guidelines; </p>
+</li>
+<li>
+<p>Assisting the Arbitrator in any requests; </p>
+</li>
+<li>
+<p>Managing the Assurer Handbook; </p>
+</li>
+<li>
+<p>Maintaining a sufficient strength in the Assurance process
+(web-of-trust) to meet the agreed needs of the Community. </p>
+</li>
+</ul>
+<h2><a name="6">6.</a> Subsidiary Policies</h2>
+<p>The Assurance Officer manages various exceptions and additional
+processes. Each must be covered by an approved Subsidiary Policy
+(refer to Policy on Policy =&gt; CAcert Official Document COD1).
+Subsidiary Policies specify any additional tests of knowledge
+required and variations to process and documentation, within the
+general standard stated here. </p>
+<h3><a name="6.1">6.1.</a> Standard</h3>
+<p>Each Subsidiary Policy must augment and improve the general
+standards in this Assurance Policy. It is the responsibility of each
+Subsidiary Policy to describe how it maintains and improves the
+specific and overall goals. It must describe exceptions and potential
+areas of risk. </p>
+
+<h3><a name="6.2">6.2.</a> High Risk Applications</h3>
+<p>In addition to the Assurance or Experience Points ratings set
+here and in other subsidiary policies, the Assurance Officer or policies can
+designate certain applications as high risk. If so, additional
+measures may be added to the Assurance process that specifically
+address the risks.</p>
+<p>Additional measures may include:
+</p>
+<ul>
+<li>
+<p>Additional information can be required in process of assurance: </p>
+<ul>
+<li>unique numbers of identity documents,</li>
+<li>photocopy of identity documents,</li>
+<li>photo of User,</li>
+<li>address of User.</li>
+</ul>
+<p>Additional Information is to be kept by Assurer, attached to
+CAcert Assurance Programme (<a href="http://www.cacert.org/cap.php" target="_blank">CAP</a>)
+form. Assurance Points allocation by this assurance is unchanged.
+User's CAcert login account should be annotated to record type of
+additional information;</p>
+</li>
+<li>
+<p>Arbitration: </p>
+<ul>
+<li> Member to participate in Arbitration. This confirms
+their acceptance of the forum as well as trains in the process and
+import,
+</li>
+<li> Member to file Arbitration to present case. This
+allows Arbitrator as final authority;
+</li>
+</ul>
+</li>
+<li>
+<p>Additional training; </p>
+</li>
+<li>
+<p>Member to be Assurer (at least 100 Assurance Points and
+passed Assurer Challenge); </p>
+</li>
+<li>
+<p>Member agrees to additional specific agreement(s); </p>
+</li>
+<li>
+<p>Additional checking/auditing of systems data by CAcert
+support administrators. </p>
+</li>
+</ul>
+<p>Applications that might attract additional measures include
+code-signing certificates and administration roles. </p>
+<h2><a name="7">7.</a> Privacy</h2>
+<p>CAcert is a "privacy" organisation, and takes the
+privacy of its Members seriously. The process maintains the security
+and privacy of both parties. </p>
+<p>Information is collected primarily to make claims within the
+certificates requested by users and to contact the Members. It is
+used secondarily for training, testing, administration and other
+internal purposes. </p>
+<p>The Member's information can be accessed under these
+circumstances: </p>
+<ul>
+<li>
+<p>Under Arbitrator ruling, in a duly filed dispute (<a href="http://www.cacert.org/policy/DisputeResolutionPolicy.php" target="_blank">Dispute Resolution Policy</a>
+=&gt; COD7); </p>
+</li>
+<li>
+<p>An Assurer in the process of an Assurance, as permitted on
+the CAcert Assurance Programme (<a href="http://www.cacert.org/cap.php" target="_blank">CAP</a>)
+form; </p>
+</li>
+<li>
+<p>CAcert support administration and CAcert systems
+administration when operating under the authority of Arbitrator or
+under CAcert policy. </p>
+</li>
+</ul>
+<p><a href="http://validator.w3.org/check?uri=referer"><img src="/images/valid-xhtml11-blue" id="graphics2" alt="Valid XHTML 1.1" align="bottom" border="0" height="33" width="90"></a>
+</p>
+</body></html>
+
diff --git a/cacert/www/policy/CAcertCommunityAgreement.php b/cacert/www/policy/CAcertCommunityAgreement.php
new file mode 100644
index 0000000..5c16b4b
--- /dev/null
+++ b/cacert/www/policy/CAcertCommunityAgreement.php
@@ -0,0 +1,512 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+<head><title>CAcert Community Agreement</title></head>
+<body>
+
+
+
+
+<h3> <a name="0"> 0. </a>  Introduction </h3>
+
+<p>
+This agreement is between
+you, being a registered member ("Member")
+within CAcert's community at large ("Community")
+and CAcert Incorporated ("CAcert"),
+being an operator of services to the Community.
+</p>
+
+<h4> <a name="0.1"> 0.1 </a>  Terms </h4>
+<ol><li>
+    "CAcert"
+    means CAcert Inc.,
+    a non-profit Association of Members incorporated in
+    New South Wales, Australia.
+    Note that Association Members are distinct from
+    the Members defined here.
+  </li><li>
+    "Member"
+    means you, a registered participant within CAcert's Community,
+    with an account on the website and the
+    facility to request certificates.
+    Members may be individuals ("natural persons")
+    or organisations ("legal persons").
+  </li><li>
+    "Organisation"
+    is defined under the Organisation Assurance programme,
+    and generally includes corporations and other entities
+    that become Members and become Assured.
+  </li><li>
+    "Community"
+    means all of the Members
+    that are registered by this agreement
+    and other parties by other agreements,
+    all being under CAcert's Arbitration.
+  </li><li>
+    "Non-Related Person" ("NRP"),
+    being someone who is not a
+    Member, is not part of the Community,
+    and has not registered their agreement.
+    Such people are offered the NRP-DaL
+    another agreement allowing the USE of certificates.
+  </li><li>
+    "Non-Related Persons - Disclaimer and Licence" ("NRP-DaL"),
+    another agreement that is offered to persons outside the
+    Community.
+  </li><li>
+    "Arbitration"
+    is the Community's forum for
+    resolving disputes, or jurisdiction.
+  </li><li>
+    "Dispute Resolution Policy" ("DRP" => COD7)
+    is the policy and
+    rules for resolving disputes.
+  </li><li>
+    "USE"
+    means the act by your software
+    to conduct its tasks, incorporating
+    the certificates according to software procedures.
+  </li><li>
+    "RELY"
+    means your human act in taking on a
+    risk and liability on the basis of the claim(s)
+    bound within a certificate.
+  </li><li>
+    "OFFER"
+    means the your act
+    of making available your certificate to another person.
+    Generally, you install and configure your software
+    to act as your agent and facilite this and other tasks.
+    OFFER does not imply suggestion of reliance.
+  </li><li>
+    "Issue"
+    means creation of a certificate by CAcert.
+    To create a certificate,
+    CAcert affixes a digital signature from the root
+    onto a public key and other information.
+    This act would generally bind a statement or claim,
+    such as your name, to your key.
+  </li><li>
+    "Root"
+    means CAcert's top level key,
+    used for signing certificates for Members.
+    In this document, the term includes any subroots.
+  </li><li>
+    "CAcert Official Document" ("COD" => COD3)
+    in a standard format for describing the details of
+    operation and governance essential to a certificate authority.
+    Changes are managed and controlled.
+    CODs define more technical terms.
+    See 4.2 for listing of relevant CODs.
+  </li><li>
+    "Certification Practice Statement" ("CPS" => COD6)
+    is the document that controls details
+    about operational matters within CAcert.
+</li></ol>
+
+
+<h3> <a name="1"> 1. </a>  Agreement and Licence </h3>
+
+<h4> <a name="1.1"> 1.1 </a>  Agreement </h4>
+
+<p>
+You and CAcert both agree to the terms and conditions
+in this agreement.
+Your agreement is given by any of
+</p>
+
+<ul><li>
+    your signature on a form to request assurance of identity
+    ("CAP" form),
+  </li><li>
+    your request on the website
+    to join the Community and create an account,
+  </li><li>
+    your request for Organisation Assurance,
+  </li><li>
+    your request for issuing of certificates, or
+  </li><li>
+    if you USE, RELY, or OFFER
+    any certificate issued to you.
+</li></ul>
+
+<p>
+Your agreement
+is effective from the date of the first event above
+that makes this agreement known to you.
+This Agreement
+replaces and supercedes prior agreements,
+including the NRP-DaL.
+</p>
+
+
+<h4> <a name="1.2"> 1.2 </a>  Licence </h4>
+
+<p>
+As part of the Community, CAcert offers you these rights:
+</p>
+
+<ol><li>
+    You may USE any certificates issued by CAcert.
+  </li><li>
+    You may RELY on any certificate issued by CAcert,
+    as explained and limited by CPS (COD6).
+  </li><li>
+    You may OFFER certificates issued to you by CAcert
+    to Members for their RELIANCE.
+  </li><li>
+    You may OFFER certificates issued to you by CAcert
+    to NRPs for their USE, within the general principles
+    of the Community.
+  </li><li>
+    This Licence is free of cost,
+    non-exclusive, and non-transferrable.
+</li></ol>
+
+<h4> <a name="1.3"> 1.3 </a>  Your Contributions </h4>
+
+
+<p>
+You agree to a non-exclusive non-restrictive non-revokable
+transfer of Licence to CAcert for your contributions.
+That is, if you post an idea or comment on a CAcert forum,
+or email it to other Members,
+your work can be used freely by the Community for
+CAcert purposes, including placing under CAcert's licences
+for wider publication.
+</p>
+
+<p>
+You retain authorship rights, and the rights to also transfer
+non-exclusive rights to other parties.
+That is, you can still use your
+ideas and contributions outside the Community.
+</p>
+
+<p>
+Note that the following exceptions override this clause:
+</p>
+
+<ol><li>
+    Contributions to controlled documents are subject to
+    Policy on Policy ("PoP" => COD1)
+  </li><li>
+    Source code is subject to an open source licence regime.
+</li></ol>
+
+<h4> <a name="1.4"> 1.4 </a>  Privacy </h4>
+
+
+<p>
+You give rights to CAcert to store, verify and process
+and publish your data in accordance with policies in force.
+These rights include shipping the data to foreign countries
+for system administration, support and processing purposes.
+Such shipping will only be done among
+CAcert Community administrators and Assurers.
+</p>
+
+<p>
+Privacy is further covered in the Privacy Policy ("PP" => COD5).
+</p>
+
+<h3> <a name="2"> 2. </a>  Your Risks, Liabilities and Obligations </h3>
+
+<p>
+As a Member, you have risks, liabilities
+and obligations within this agreement.
+</p>
+
+<h4> <a name="2.1"> 2.1 </a>  Risks </h4>
+
+<ol><li>
+    A certificate may prove unreliable.
+  </li><li>
+    Your account, keys or other security tools may be
+    lost or otherwise compromised.
+  </li><li>
+    You may find yourself subject to Arbitration
+    (DRP => COD7).
+</li></ol>
+
+<h4> <a name="2.2"> 2.2 </a>  Liabilities </h4>
+
+<ol><li>
+    You are liable for any penalties
+    as awarded against you by the Arbitrator.
+  </li><li>
+    Remedies are as defined in the DRP (COD7).
+    An Arbitrator's ruling may
+    include monetary amounts, awarded against you.
+  </li><li>
+    Your liability is limited to
+    a total maximum of
+    <b>1000 Euros</b>.
+  </li><li>
+    "Foreign Courts" may assert jurisdiction.
+    These include your local courts, and are outside our Arbitration.
+    Foreign Courts will generally refer to the Arbitration
+    Act of their country, which will generally refer
+    civil cases to Arbitration.
+    The Arbitration Act will not apply to criminal cases.
+</li></ol>
+
+<h4> <a name="2.3"> 2.3 </a>  Obligations </h4>
+
+<p>
+    You are obliged
+</p>
+
+<ol><li>
+    to provide accurate information
+    as part of Assurance.
+    You give permission for verification of the information
+    using CAcert-approved methods.
+  </li><li>
+    to make no false representations.
+  </li><li>
+    to submit all your disputes to Arbitration
+    (DRP => COD7).
+</li></ol>
+
+<h4> <a name="2.4"> 2.4 </a>  Principles </h4>
+
+<p>
+As a Member of CAcert, you are a member of
+the Community.
+    You are further obliged to 
+    work within the spirit of the Principles
+    of the Community.
+    These are described in
+    <a href="http://svn.cacert.org/CAcert/principles.html">Principles of the Community</a>.
+</p>
+
+<h4> <a name="2.5"> 2.5 </a>  Security </h4>
+<p>
+CAcert exists to help you to secure yourself.
+You are primarily responsible for your own security.
+Your security obligations include
+</p>
+
+<ol><li>
+    to secure yourself and your computing platform (e.g., PC),
+  </li><li>
+    to keep your email account in good working order,
+  </li><li>
+    to secure your CAcert account
+    (e.g., credentials such as username, password),
+  </li><li>
+    to secure your private keys,
+  </li><li>
+    to review certificates for accuracy,
+    and
+  </li><li>
+    when in doubt, notify CAcert,
+  </li><li>
+    when in doubt, take other reasonable actions, such as
+    revoking certificates,
+    changing account credentials,
+    and/or generating new keys.
+</li></ol>
+
+<p>
+Where, above, 'secure' means to protect to a reasonable
+degree, in proportion with your risks and the risks of
+others.
+</p>
+
+<h3> <a name="3"> 3. </a>  Law and Jurisdiction </h3>
+
+<h4> <a name="3.1"> 3.1 </a>  Governing Law </h4>
+
+<p>
+This agreement is governed under the law of
+New South Wales, Australia,
+being the home of the CAcert Inc. Association.
+</p>
+
+<h4> <a name="3.2"> 3.2 </a>  Arbitration as Forum of Dispute Resolution </h4>
+
+<p>
+You agree, with CAcert and all of the Community,
+that all disputes arising out
+of or in connection to our use of CAcert services
+shall be referred to and finally resolved
+by Arbitration under the rules within the
+Dispute Resolution Policy of CAcert
+(DRP => COD7).
+The rules select a single Arbitrator chosen by CAcert
+from among senior Members in the Community.
+The ruling of the Arbitrator is binding and
+final on Members and CAcert alike.
+</p>
+
+<p>
+In general, the jurisdiction for resolution of disputes
+is within CAcert's own forum of Arbitration,
+as defined and controlled by its own rules (DRP => COD7).
+</p>
+
+<p>
+We use Arbitration for many purposes beyond the strict
+nature of disputes, such as governance and oversight.
+A systems administrator may
+need authorisation to conduct a non-routine action,
+and Arbitration may provide that authorisation.
+Thus, you may find yourself party to Arbitration
+that is simply support actions, and you may file disputes in
+order to initiate support actions.
+</p>
+
+<h4> <a name="3.3"> 3.3 </a>  Termination </h4>
+<p>
+You may terminate this agreement by resigning
+from CAcert.  You may do this at any time by
+writing to CAcert's online support forum and
+filing dispute to resign.
+All services will be terminated, and your
+certificates will be revoked.
+However, some information will continue to
+be held for certificate processing purposes.
+</p>
+
+<p>
+The provisions on Arbitration survive any termination
+by you by leaving CAcert.
+That is, even if you resign from CAcert,
+you are still bound by the DRP (COD7),
+and the Arbitrator may reinstate any provision of this
+agreement or bind you to a ruling.
+</p>
+
+<p>
+Only the Arbitrator may terminate this agreement with you.
+</p>
+
+<h4> <a name="3.4"> 3.4 </a>  Changes of Agreement </h4>
+
+<p>
+CAcert may from time to time vary the terms of this Agreement.
+Changes will be done according to the documented CAcert policy
+for changing policies, and is subject to scrutiny and feedback
+by the Community.
+Changes will be notified to you by email to your primary address.
+</p>
+
+<p>
+If you do not agree to the changes, you may terminate as above.
+Continued use of the service shall be deemed to be agreement
+by you.
+</p>
+
+<h4> <a name="3.5"> 3.5 </a>  Communication </h4>
+
+<p>
+Notifications to CAcert are to be sent by
+email to the address
+<b>support</b> <i>at</i> CAcert.org.
+You should attach a digital signature,
+but need not do so in the event of security
+or similar urgency.
+</p>
+
+<p>
+Notifications to you are sent
+by CAcert to the primary email address
+registered with your account.
+You are responsible for keeping your email
+account in good working order and able
+to receive emails from CAcert.
+</p>
+
+<p>
+Arbitration is generally conducted by email.
+</p>
+
+<h3> <a name="4"> 4. </a> Miscellaneous </h3>
+
+<h4> <a name="4.1"> 4.1 </a>  Other Parties Within the Community </h4>
+
+<p>
+As well as you and other Members in the Community,
+CAcert forms agreements with third party
+vendors and others.
+Thus, such parties will also be in the Community.
+Such agreements are also controlled by the same
+policy process as this agreement, and they should
+mirror and reinforce these terms.
+</p>
+
+
+<h4> <a name="4.2"> 4.2 </a>  References and Other Binding Documents </h4>
+
+<p>
+This agreement is CAcert Official Document 9 (COD9)
+and is a controlled document.
+</p>
+
+<p>
+You are also bound by
+</p>
+
+<ol><li>
+    <a href="http://svn.cacert.org/CAcert/policy.htm">
+    Certification Practice Statement</a> (CPS => COD6).
+  </li><li>
+    <a href="http://www.cacert.org/policy/DisputeResolutionPolicy.php">
+    Dispute Resolution Policy</a> (DRP => COD7).
+  </li><li>
+    <a href="http://www.cacert.org/index.php?id=10">
+    Privacy Policy</a> (PP => COD5).
+  </li><li>
+    <a href="http://svn.cacert.org/CAcert/principles.html">
+    Principles of the Community</a>.
+</li></ol>
+
+<p>
+Where documents are referred to as <i>=> COD x</i>,
+they are controlled documents
+under the control of Policy on Policies (COD1).
+</p>
+
+<p>
+This agreement and controlled documents above are primary,
+and may not be replaced or waived except
+by formal policy channels and by Arbitration.
+</p>
+
+<h4> <a name="4.3"> 4.3 </a>  Informative References </h4>
+
+<p>
+The governing documents are in English.
+Documents may be translated for convenience.
+Because we cannot control the legal effect of translations,
+the English documents are the ruling ones.
+</p>
+
+<p>
+You are encouraged to be familiar with the
+Assurer Handbook,
+which provides a more readable introduction for much of
+the information needed.
+The Handbook is not however an agreement, and is overruled
+by this agreement and others listed above.
+</p>
+
+<h4> <a name="4.4"> 4.4 </a>  Not Covered in this Agreement </h4>
+
+<p>
+<b>Intellectual Property.</b>
+This Licence does not transfer any intellectual
+property rights ("IPR") to you.  CAcert asserts and
+maintains its IPR over its roots, issued certificates,
+brands, logos and other assets.
+Note that the certificates issued to you
+are CAcert's intellectual property
+and you do not have rights other than those stated.
+</p>
+
+
+</body>
+</html>
diff --git a/cacert/www/policy/CVS/Entries b/cacert/www/policy/CVS/Entries
new file mode 100644
index 0000000..b5fe53c
--- /dev/null
+++ b/cacert/www/policy/CVS/Entries
@@ -0,0 +1,8 @@
+/DisputeResolutionPolicy.php/1.1/Fri Jan 18 22:56:31 2008//
+/NRPDisclaimerAndLicence.php/1.2/Fri Jan 18 23:00:49 2008//
+/OrganisationAssurancePolicy.php/1.1/Fri Jan 18 22:56:31 2008//
+/CAcertCommunityAgreement.php/1.2/Fri Mar 14 18:28:21 2008//
+/PolicyOnPolicy.php/1.1/Fri Mar 14 14:03:39 2008//
+/index.php/1.2/Sun Apr  6 19:45:26 2008//
+/AssurancePolicy.php/1.2/Thu Jun 25 20:09:37 2009//
+D
diff --git a/cacert/www/policy/CVS/Repository b/cacert/www/policy/CVS/Repository
new file mode 100644
index 0000000..27873cf
--- /dev/null
+++ b/cacert/www/policy/CVS/Repository
@@ -0,0 +1 @@
+cacert/www/policy
diff --git a/cacert/www/policy/CVS/Root b/cacert/www/policy/CVS/Root
new file mode 100644
index 0000000..a363882
--- /dev/null
+++ b/cacert/www/policy/CVS/Root
@@ -0,0 +1 @@
+/var/lib/cvs
diff --git a/cacert/www/policy/DisputeResolutionPolicy.php b/cacert/www/policy/DisputeResolutionPolicy.php
new file mode 100644
index 0000000..a97789b
--- /dev/null
+++ b/cacert/www/policy/DisputeResolutionPolicy.php
@@ -0,0 +1,639 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+<head>
+<title>Dispute Resulution Policy</title>
+</head>
+<body>
+
+<table width="100%">
+
+<tr>
+<td> DRP </td>
+<td> </td>
+<td width="20%"> Teus Hagen </td>
+</tr>
+
+<tr>
+<td> POLICY&nbsp;<a href="http://wiki.cacert.org/wiki/TopMinutes-20070917">m20070919.3</a> </td>
+<td>  </td>
+<td>
+  $Date: 2008-01-18 22:56:31 $
+  <!--
+     to get this to work, we have to do this:
+       svn propset svn:keywords "Date" PolicyOnPolicy.html
+     except it does not work through the website.
+   -->
+</td>
+</tr>
+
+<tr>
+<td> COD7 </td>
+<td> </td>
+<td> <!-- contributors --> </td>
+</tr>
+
+
+<tr> <!-- title only -->
+<td> </td>
+<td > <b>Dispute&nbsp;Resolution&nbsp;Policy</b> </td>
+<td> </td>
+</tr>
+
+</table>
+
+
+<h2> <a name="0"> 0. </a> Introduction</h2>
+
+<p>
+This is the Dispute Resolution Policy for CAcert.
+Disputes arising out of
+operations by CAcert and interactions between
+users may be addressed through this policy.
+This document also presents the rules for
+resolution of disputes.
+</p>
+
+<h3> <a name="0.1"> 0.1 </a> Nature of Disputes </h3>
+
+<p>
+Disputes include:
+</p>
+
+<ul><li>
+    Requests for non-routine support actions.
+    CAcert support team has no authority to
+    act outside the normal support facilities made
+    available to Users;
+  </li><li>
+    Classical disputes where a User or another
+    assert claims and demand remedies;
+  </li><li>
+    Requests by external organisations, including
+    legal processes from foreign courts;
+  </li><li>
+    Events initiated for training purposes.
+</li></ul>
+
+<h2> <a name="1"> 1. </a> Filing</h2>
+
+<h3> <a name="1.1"> 1.1 </a> Filing Party</h3>
+<p>
+Anyone may file a dispute.
+In filing, they become <i>Claimants</i>.
+</p>
+
+<h3> <a name="1.2">1.2 </a> Channel for Filing</h3>
+
+<p>
+Disputes are filed by being sent to the normal
+support channel of CAcert,
+and a fee may be payable.
+</p>
+
+<p>
+Such fees as are imposed on filing will be specified
+on the dispute resolution page of the website.
+</p>
+
+<h3> <a name="1.3">1.3 </a> Case Manager</h3>
+<p>
+The Case Manager (CM) takes control of the filing.
+</p>
+
+<ol><li>
+    CM makes an initial determination as
+    to whether this filing is a dispute
+    for resolution, or it is a request
+    for routine support.
+  </li><li>
+    CM logs the case and establishes such
+    documentation and communications support as is customary.
+  </li><li>
+    If any party acts immediately on the filing
+    (such as an urgent security action),
+    the CM names these parties to the case.
+  </li><li>
+    CM selects the Arbitrator.
+</li></ol>
+
+<p>
+The personnel within the CAcert support team
+are Case Managers, by default, or as directed
+by the Dispute Resolution Officer.
+</p>
+
+<h3> <a name="1.4">1.4 </a> Contents</h3>
+<p>
+The filing must specify:
+</p>
+
+<ul><li>
+    The filing party(s), being the <i>Claimant(s)</i>.
+  </li><li>
+    The party(s) to whom the complaint is addressed to,
+    being the <i>Respondent(s)</i>.
+    This will be CAcert in the
+    case of requests for support actions.
+    It may be a User (possibly unidentified) in the
+    case where one User has given rise to a complaint against another.
+  </li><li>
+    The <i>Complaint</i>.
+    For example, a trademark has been infringed,
+    privacy has been breached,
+    or a user has defrauded using a certificate.
+  </li><li>
+    The action(s) requested by the filing party
+    (technically, called the <i>relief</i>).
+    For example, to delete an account,
+    to revoke a certificate, or to stop a
+    trademark infringement.
+</li></ul>
+
+<p>
+If the filing is inadequate for lack of information
+or for format, the Case Manager
+may refile with the additional information,
+attaching the original messages.
+</p>
+
+<h3> <a name="1.5">1.5 </a> The Arbitrator</h3>
+
+<p>
+The Case Manager selects the Arbitrator according
+to the mechanism managed by the Dispute Resolution Officer
+and approved from time to time.
+This mechanism is to maintain a list of Arbitrators available for
+dispute resolution.
+Each selected Arbitrator has the right to decline the dispute,
+and should decline a dispute with which there exists a conflict
+of interest.
+The reason for declining should be stated.
+If no Arbitrator accepts the dispute, the case is
+closed with status "declined."
+</p>
+
+<p>
+Arbitrators are experienced Assurers of CAcert.
+They should be independent and impartial, including
+of CAcert itself where it becomes a party.
+</p>
+
+<h2> <a name="2"> 2. </a> The Arbitration</h2>
+
+
+<h3> <a name="2.1">2.1 </a>  Authority</h3>
+
+<p>
+The Board of CAcert and the Users vest in Arbitrators
+full authority to hear disputes and deliver rulings
+which are binding on CAcert and the Users.
+</p>
+
+
+<h3> <a name="2.2">2.2 </a>  Preliminaries</h3>
+
+<p>
+The Arbitrator conducts some preliminaries:
+</p>
+
+<ul><li>
+   The Arbitrator reviews the available documentation
+   and affirms the rules of dispute resolution.
+   Jurisdiction is established, see below.
+  </li><li>
+   The Arbitrator affirms the governing law (NSW, Australia).
+   The Arbitrator may select local law and local
+   procedures where Claimants and all Respondents
+   agree, are under such jurisdiction, and it is deemed
+   more appropriate.
+   However, this is strictly limited to those parties,
+   and especially, CAcert and other parties
+   remains under the governing law.
+  </li><li>
+   The Arbitrator reviews the Respondents and Claimants
+   with a view to dismissal or joining of additional parties.
+   E.g., support personel may be joined if emergency action was
+   taken.
+  </li><li>
+   Any parties that are not Users and are not bound
+   by the CPS are given the opportunity to enter into
+   CAcert and be bound by the CPS and these rules of arbitration.
+   If these Non-Related Persons (NRPs) remain outside,
+   their rights and remedies under CAcert's policies
+   and forum are strictly limited to that specified in the
+   Non-Related Persons -- Disclaimer and Licence.
+   NRPs may proceed with Arbitration subject to preliminary orders
+   of the Arbitrator.
+  </li><li>
+   Participating Users may not resign until the completion of the case.
+  </li><li>
+   The Arbitrator confirms that all parties accept
+   the forum of dispute resolution.
+   This is especially important where a User might be
+   in a country with no Arbitration Act in law, or
+   where there is reason to believe that a party might
+   go to an external court.
+  </li><li>
+   The Arbitrator confirms that parties are representing
+   themselves.  Parties are entitled to be legally
+   represented, but are not encouraged to do so,
+   bearing in mind the volunteer nature of the
+   organisation and the size of the dispute.
+   If they do so they must declare such, including any
+   changes.
+  </li><li>
+   The Arbitrator may appoint experienced Assurers
+   to assist and represent parties, especially for NRPs.
+   The Case Manager must not to provide such assistance.
+  </li><li>
+   The Arbitrator is bound to maintain the balance
+   of legal fairness.
+  </li><li>
+   The Arbitrator may make any preliminary orders,
+   including protection orders and orders referring
+   to emergency actions already taken.
+  </li><li>
+   The Arbitrator may request any written pleadings,
+   counterclaim, and/or statements of defence.
+</li></ul>
+
+
+<h3> <a name="2.3">2.3 </a>  Jurisdiction </h3>
+
+<p>
+Jurisidiction - the right or power to hear and rule on
+disputes - is initially established by clauses in the
+User agreements for all CAcert Users.
+The agreement must establish:
+</p>
+
+<ul><li>
+    That all Parties agree to binding Arbitration
+    in CAcert's forum of dispute resolution;
+  </li><li>
+    for all disputes relating to activities within
+    CAcert, issued certificates, roles and actions, etc;
+  </li><li>
+    as defined by these rules, including the selection
+    of a single Arbitrator;
+  </li><li>
+    under the Law of NSW, Australia;  and
+  </li><li>
+    the Parties keep email accounts in good working order.
+</li></ul>
+
+<p>
+An external court may have ("assert") jurisdiction to decide on
+issues such as trademark, privacy, contract and fraud,
+and may do so with legal remedies.
+These are areas where jurisdiction may need
+to be considered carefully:
+</p>
+
+<ul><li>
+    Where NRPs, being not members of CAcert and not
+    bound by agreement, are parties to the dispute.
+    E.g., intellectual property disputes may involve
+    NRPs and their trademarks;
+  </li><li>
+    criminal actions or actions likely to result in criminal
+    proceedings,
+    e.g., fraud;
+  </li><li>
+    Contracts between Users that were formed without
+    a clause to seek arbitration in the forum;
+  </li><li>
+    Areas where laws fall outside the Arbitration Act,
+    such as privacy;
+  </li><li>
+    Legal process (subpoenas, etc) delivered by
+    an external court of "competent jurisdiction."
+</li></ul>
+
+<p>
+The Arbitrator must consider jurisdiction and rule on a
+case by case basis whether jurisdiction is asserted,
+either wholly or partially, or declines to hear the case.
+In the event of asserting
+jurisdiction, and a NRP later decides to pursue rights in
+another forum, the Arbitrator should seek the agreement
+of the NRP to file the ruling as part of the new case.
+</p>
+
+<h3> <a name="2.4">2.4 </a>  Basis in Law </h3>
+
+<p>
+Each country generally has an Arbitration Act
+that elevates Arbitration as a strong dispute
+resolution forum.
+The Act generally defers to Arbitration
+if the parties have so agreed.
+That is, as Users of CAcert, you agree to resolve
+all disputes before CAcert's forum.
+This is sometimes called <i>private law</i>
+or <i>alternative dispute resolution</i>.
+</p>
+
+<p>
+As a matter of public policy, courts will generally
+refer any case back to Arbitration.
+Users should understand that they will have
+strictly limited rights to ask the courts to
+seek to have a case heard or to override a Ruling.
+</p>
+
+
+<h3> <a name="2.5">2.5 </a>  External Courts </h3>
+
+<p>
+    When an external court claims and asserts its jurisdiction,
+    and issues a court order, subpoena or other service to CAcert,
+    the CM files the order as a dispute, with the external court
+    as <i>Claimant</i>.
+    The CM and other support staff are granted no authority to
+    act on the basis of any court order, and ordinarily
+    must await the order of the Arbitrator
+    (which might simply be a repeat of the external court order).
+</p>
+
+<p>
+    The Arbitrator establishes the bona fides of the
+    court, and rules.
+    The Arbitrator may rule to reject the order,
+    for jurisdiction or other reasons.
+    By way of example, if all Parties are registered Users,
+    then jurisdiction more normally falls within the forum.
+    If the Arbitrator rules to reject,
+    he should do so only after consulting with CAcert counsel.
+    The Arbitrator's jurisidiction is ordinarily that of
+    dealing with the order, and
+    not that which the external court has claimed to.
+</p>
+
+
+<h3> <a name="2.6">2.6 </a>  Process</h3>
+
+<p>
+The Arbitrator follows the procedure:
+</p>
+
+
+<ol><li>
+    Establish the facts.
+    The Arbitrator collects the evidence from the parties.
+    The Arbitrator may order CAcert or Users under
+    jurisdiction to provide support or information.
+    The Arbitrator may use email, phone or face-to-face
+    meetings as proceedings.
+  </li><li>
+    Apply the Rules of Dispute Resolution,
+    the policies of CAcert and the governing law.
+    The Arbitrator may request that the parties
+    submit their views.
+    The Arbitrator also works to the mission of CAcert,
+    the benefit of all Users, and the community as a whole.
+    The Arbitrator may any assistance.
+  </li><li>
+    Makes a considered Ruling.
+</li></ol>
+
+<h2> <a name="3"> 3. </a> The Ruling</h2>
+
+<h3> <a name="3.1">3.1 </a>  The Contents </h3>
+
+<p>
+The Arbitrator records:
+</p>
+
+<ol><li>
+   The Identification of the Parties,
+  </li><li>
+   The Facts,
+  </li><li>
+   The logic of the rules and law,
+  </li><li>
+   The directions and actions to be taken by each party
+   (the ruling).
+  </li><li>
+   The date and place that the ruling is rendered.
+</li></ol>
+
+
+<h3> <a name="3.2">3.2 </a>  Process </h3>
+<p>
+Once the Ruling is delivered, the case is closed.
+The Case Manager is responsible for recording the
+Ruling, publishing it, and advising users.
+</p>
+
+<p>
+Proceedings are ordinarily private.
+The Ruling is ordinarily published,
+within the bounds of the Privacy Policy.
+The Ruling is written in English.
+</p>
+
+<p>
+Only under exceptional circumstances can the
+Arbitrator declare the Ruling private <i>under seal</i>.
+Such a declaration must be reviewed in its entirety
+by the Board,
+and the Board must confirm or deny that declaration.
+If it confirms, the existance of any Rulings under seal
+must be published to the Users in a timely manner
+(within days).
+</p>
+
+<h3> <a name="3.3">3.3 </a>  Binding and Final </h3>
+
+<p>
+The Ruling is binding and final on CAcert and all Users.
+Ordinarily, all Users agree to be bound by this dispute
+resolution policy.  Users must declare in the Preliminaries
+any default in agreement or binding.
+</p>
+
+<p>
+If a person who is not a User is a party to the dispute,
+then the Ruling is not binding and final on that person,
+but the Ruling must be presented in filing any dispute
+in another forum such as the person's local courts.
+</p>
+
+<h3> <a name="3.4">3.4 </a>  Re-opening the Case or Appeal </h3>
+
+<p>
+In the case of clear injustices, egregious behaviour or
+unconscionable Rulings, parties may seek to re-open the
+case by filing a dispute.  The new Arbitrator
+reviews the new dispute,
+re-examines and reviews the entire case, then rules on
+whether the case may be re-opened or not.
+</p>
+
+<p>
+If the new Arbitrator rules the case be re-opened,
+then it is referred to the Board of CAcert Inc.
+The Board hears the case and delivers a final
+and binding Ruling.
+</p>
+
+<h3> <a name="3.5">3.5 </a>  Liability </h3>
+
+<p>
+All liability of the Arbitrator for any act in
+connection with deciding a dispute is excluded
+by all parties, provided such act does not constitute
+an intentional breach of duty.
+All liability of the Arbitrators, CAcert, its officers and its
+employees (including Case Manager)
+for any other act or omission in connection with
+arbitration proceedings is excluded, provided such acts do not
+constitute an intentional or grossly negligent breach of duty.
+</p>
+
+<p>
+The above provisions may only be overridden by
+appeal process (by means of a new dispute causing
+referral to the Board).
+</p>
+
+<h3> <a name="3.6">3.6 </a>  Remedies </h3>
+
+<p>
+The Arbitrator generally instructs using internal remedies,
+that is ones that are within the general domain of CAcert,
+but there are some external remedies at his disposal.
+He may rule and instruct any of the parties on these issues.
+</p>
+
+<ul><li>
+    "community service" typically including
+    <ul><li>
+        attend and assure people at trade shows / open source gatherings,
+      </li><li>
+        writing documentation
+      </li><li>
+        serve in role - support, dispute arbitration
+    </li></ul>
+    or others as decided.
+
+  </li><li>
+    Fined by loss of assurance points, which may result
+    in losing Assurer or Assured status.
+
+  </li><li>
+    Retraining in role.
+
+  </li><li>
+    Revoking of any certificates.
+
+  </li><li>
+    Monetary fine up to the liability cap established for
+    each party as described in the Registered User Agreement.
+
+  </li><li>
+    Exclusion from community.
+
+  </li><li>
+    Reporting to applicable authorities.
+
+  </li><li>
+    Changes to policies and procedures.
+
+</li></ul>
+
+<p>
+The Arbitrator is not limited within the general domain
+of CAcert, and may instruct novel remedies as seen fit.
+Novel remedies outside the domain may be routinely
+confirmed by the Board by way of appeals process,
+in order to establish precedent.
+</p>
+
+<h2> <a name="4"> 4. </a> Appendix</h2>
+
+
+<h3> <a name="4.1">4.1 </a>  The Advantages of this Forum </h3>
+<p>
+The advantage of this process for Users is:
+</p>
+
+<ul><li>
+    CAcert and Users operate across many jurisdictions.
+    Arbitration allows us to select a single set of
+    rules across all jurisdictions.
+  </li><li>
+    Arbitration allows CAcert to appropriately separate
+    out the routine support actions from difficult dispute
+    actions.  Support personnel have no authority to
+    act, the appropriately selected Arbitrator has all
+    authority to act.
+    Good governance is thus maintained.
+  </li><li>
+    This forum allows CAcert Users to look after themselves
+    in a community, without exposing each other to potentially
+    disastrous results in strange courts from foreign lands.
+  </li><li>
+    By volunteering to resolve things "in-house" the costs
+    are reduced.
+  </li><li>
+    Even simple support issues such as password changing
+    can be improved by treating as a dispute.  A clear
+    chain of request, analysis, ruling and action can be established.
+  </li><li>
+    CAcert Assurers can develop the understanding and the rules
+    for sorting out own problems far better than courts or
+    other external agencies. 
+</li></ul>
+
+<h3> <a name="4.2">4.2 </a>  The Disadvantages of this Forum </h3>
+
+<p>
+Some disadvantages exist.
+</p>
+
+<ul><li>
+     Users may have their rights trampled over.
+     In such a case, the community should strive to
+     re-open the case and refer it to the board.
+  </li><li>
+     Users may feel overwhelmed by the formality
+     of the process.
+     It is kept formal so as to establish good and proper
+     authority to act;  otherwise, support and other
+     people in power may act without thought and with
+     damaging consequences.
+  </li><li>
+     A country may not have an Arbitration Act.
+     In that case, the parties should enter into
+     spirit of the forum.
+     If they choose to break that spirit,
+     they should also depart the community.
+</li></ul>
+
+<h3> <a name="4.3">4.3 </a>  Process and Flow </h3>
+
+<p>
+To the extent reasonable, the Arbitrator conducts
+the arbitration as with any legal proceedings.
+This means that the process and style should follow
+legal tradition.
+</p>
+
+<p>
+However, the Arbitrator is unlikely to be trained in
+law.  Hence, common sense must be applied, and the
+Arbitrator has wide latitude to rule on any particular
+motion, pleading, submission.  The Arbitrator's ruling
+is final within the arbitration.
+</p>
+
+<p>
+Note also that many elements of legal proceedings are
+deliberately left out of the rules.
+</p>
+
+</body>
+</html>
diff --git a/cacert/www/policy/NRPDisclaimerAndLicence.php b/cacert/www/policy/NRPDisclaimerAndLicence.php
new file mode 100644
index 0000000..6dbc647
--- /dev/null
+++ b/cacert/www/policy/NRPDisclaimerAndLicence.php
@@ -0,0 +1,99 @@
+<?php
+loadem("index");
+$id = intval($id);
+//showheader(_("CAcert - Non-Related Persons - Disclaimer and Licence"));
+?>
+
+<table border="1" bgcolor="#EEEEEE"><tr><td>
+
+<h1 align="center"> <?=_("Non-Related Persons")?>  </h1>
+<h2 align="center"> <?=_("(Disclaimer and Licence)")?> </h2>
+
+
+<h2> <?=_("Definitions")?> </h2>
+
+<p>
+<?=_("This is a Disclaimer and Licence from
+<u> CAcert Inc </u>,
+the 'issuer',
+to you, the 'user',
+being a general user of the Internet.")?>
+</p>
+
+<h2> Disclaimer </h2>
+
+<p>
+<?=_("The issuer has no other agreement with you,
+and has no control nor knowledge
+as to how you intend to use the products of the issuer.
+You alone take on all of the risk and all of the
+liability of your usage.
+The issuer makes no guarantee, warranty nor promise to you.")?>
+</p>
+
+<p>
+<?=_("Therefore, to the fullest extent possible in law,
+<b>ISSUER DISCLAIMS ALL LIABILITY TO YOU</b>
+on behalf of itself and its related parties.")?>
+</p>
+
+<h2> <?=_("Licence")?> </h2>
+
+<p>
+<?=_("This licence offers you a non-exclusive, non-transferable
+'PERMISSION TO USE' certificates issued by issuer.")?>
+</p>
+
+<ul><li>
+    <?=_("You may 'USE' the certificates as facilitated
+    by your software.  For example,
+    you may construct connections, read emails,
+    load code or otherwise, as facilitated by your
+    software.")?>
+  </li><li>
+    <?=_("You may NOT RELY on any statements or claims
+    made by the certificates or implied in any way.")?>
+  </li><li>
+    <?=_("If your software is licensed under a separate
+    third party agreement, it may be permitted
+    to make statements or claims based on the certificates.
+    You may NOT RELY on these statements or claims.")?>
+  </li><li>
+    <?=_("You may NOT distribute certificates or root keys
+    under this licence, nor make representation
+    about them.")?>
+</li></ul>
+
+</td></tr></table>
+
+<h2> <?=_("Alternatives")?> </h2>
+
+<p>
+<?=_("If you find the terms of the above
+Non-Related Persons
+Disclaimer and Licence
+difficult or inadequate for your use, you may wish to")?>
+</p>
+
+<ul><li>
+    <?=sprintf(_("As an individual,
+        %sregister with issuer%s
+    and enter into the user agreement.
+    This is free."),"<a href='https://www.cacert.org/index.php?id=1'>","</a>")?>
+  </li><li>
+    <?=_("As a Third Party Distributor,
+    enter into a separate third party agreement
+    with issuer.")?>
+  </li><li>
+    <?=_("Delete issuer's roots from your software.
+    Your software documentation should give
+    directions and assistance for this.")?>
+</li></ul>
+
+<p>
+<?=_("These alternatives are outside the above
+Non-Related Persons Disclaimer and Licence
+and do not incorporate.")?>
+</p>
+
+
diff --git a/cacert/www/policy/OrganisationAssurancePolicy.php b/cacert/www/policy/OrganisationAssurancePolicy.php
new file mode 100644
index 0000000..7d8699c
--- /dev/null
+++ b/cacert/www/policy/OrganisationAssurancePolicy.php
@@ -0,0 +1,379 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+<head><title>Organisation Assurance Policy</title></head>
+<body>
+
+<table width="100%">
+
+<tr>
+<td> OAP </td>
+<td> </td>
+<td width="20%"> Jens  </td>
+</tr>
+
+<tr>
+<td> POLICY&nbsp;<a href="http://wiki.cacert.org/wiki/TopMinutes-20070917">m20070918.x</a> </td>
+<td>  </td>
+<td>
+  $Date: 2008-01-18 22:56:31 $
+  <!--
+     to get this to work, we have to do this:
+       svn propset svn:keywords "Date" file.html
+     except it does not work through the website.
+   -->
+</td>
+</tr>
+
+<tr>
+<td> COD11 </td>
+<td> </td>
+<td> </td>
+</tr>
+
+
+<tr>
+<td> </td>
+<td > <b>Organisation&nbsp;Assurance&nbsp;Policy</b> </td>
+<td> </td>
+</tr>
+
+</table>
+
+
+
+<h2> <a name="0"> 0. </a>  Preliminaries </h2>
+
+<p>
+This policy describes how Organisation Assurers ("OAs")
+conduct Assurances on Organisations.
+It fits within the overall web-of-trust
+or Assurance process of Cacert.
+</p>
+
+<p>
+This policy is not a Controlled document, for purposes of
+Configuration Control Specification ("CCS").
+</p>
+
+<h2> <a name="1"> 1. </a> Purpose </h2>
+
+<p>
+Organisations with assured status can issue certificates
+directly with their own domains within.
+</p>
+
+<p>
+The purpose and statement of the certificate remains
+the same as with ordinary users (natural persons)
+and as described in the CPS.
+</p>
+
+<ul><li>
+    The organisation named within is identified.
+  </li><li>
+    The organisation has been verified according
+    to this policy.
+  </li><li>
+    The organisation is within the jurisdiction
+    and can be taken to Arbitration.
+</li></ul>
+
+
+<h2> <a name="2"> 2. </a> Roles and Structure </h2> 
+
+<h3> <a name="2.1"> 2.1 </a> Assurance Officer </h3> 
+
+<p>
+The Assurance Officer ("AO")
+manages this policy and reports to the board.
+</p>
+
+<p>
+The AO manages all OAs and is responsible for process,
+the CAcert Organisation Assurance Programme form ("COAP"),
+OA training and testing, manuals, quality control.
+In these responsibilities, other Officers will assist.
+</p>
+
+<h3> <a name="2.2"> 2.2 </a> Organisation Assurers </h3> 
+
+<p>
+</p>
+
+<ol type="a"> <li>
+    An OA must be an experienced Assurer
+    <ol type="i">
+      <li>Have 150 assurance points.</li>
+      <li>Be fully trained and tested on all general Assurance processes.</li>
+    </ol>
+
+  </li><li>
+    Must be trained as Organisation Assurer.
+    <ol type="i">
+      <li> Global knowledge:  This policy. </li>
+      <li> Global knowledge:  A OA manual covers how to do the process.</li>
+      <li> Local knowledge:   legal forms of organisations within jurisdiction.</li>
+      <li> Basic governance. </li>
+      <li> Training may be done a variety of ways,
+           such as on-the-job, etc. </li>
+    </ol>
+
+  </li><li>
+    Must be tested.
+    <ol type="i">
+      <li> Global test:  Covers this policy and the process. </li>
+      <li> Local knowledge:   Subsidiary Policy to specify.</li>
+      <li> Tests to be created, approved, run, verified
+           by CAcert only (not outsourced). </li>
+      <li> Tests are conducted manually, not online/automatic. </li>
+      <li> Documentation to be retained. </li>
+      <li> Tests may include on-the-job components. </li>
+    </ol>
+
+  </li><li>
+    Must be approved.
+    <ol type="i">
+      <li> Two supervising OAs must sign-off on new OA,
+           as trained, tested and passed.
+           </li>
+      <li> AO must sign-off on a new OA,
+           as supervised, trained and tested.
+           </li>
+    </ol>
+</ol>
+
+
+
+<h3> <a name="2.3"> 2.3 </a> Organisation Administrator </h3> 
+
+<p>
+The Administrator within each Organisation ("O-Admin")
+is the one who handles the assurance requests
+and the issuing of certificates.
+</p>
+
+<ol type="a"> <li>
+    O-Admin must be Assurer
+    <ol type="i">
+      <li>Have 100 assurance points.</li>
+      <li>Fully trained and tested as Assurer.</li>
+    </ol>
+
+  </li><li>
+    Organisation is required to appoint O-Admin,
+    and appoint ones as required.
+    <ol type="i">
+      <li> On COAP Request Form.</li>
+    </ol>
+
+  </li><li>
+    O-Admin must work with an assigned OA.
+    <ol type="i">
+      <li> Have contact details.</li>
+    </ol>
+</ol>
+
+
+<h2> <a name="3"> 3. </a> Policies </h2> 
+
+<h3> <a name="3.1"> 3.1 </a> Policy </h3> 
+
+<p>
+There is one policy being this present document,
+and several subsidiary policies.
+</p>
+
+<ol type="a">
+  <li>  This policy authorises the creation of subsidiary policies. </li>
+  <li>  This policy is international. </li>
+  <li>  Subsidiary policies are implementations of the policy. </li>
+  <li>  Organisations are assured under an appropriate subsidiary policy. </li>
+</ol>
+
+<h3> <a name="3.2"> 3.2 </a> Subsidiary Policies </h3>
+
+<p>
+The nature of the Subsidiary Policies ("SubPols"):
+</p>
+
+<ol type="a"><li>
+    SubP